Abstract

[audio] (http://media.blackhat.com/bh-dc-09/audio/BlackHat_DC_2009_Jagdale_Blinded_by_Flash.mp3)

In this presentation I will examine the Flash framework and then delve into the Flash security model and the transitions it has undergone over the years. To explore the avenues of compromise in the security model, I will use a test Flash application and demonstrate various attack vectors including Cross-Site Request Forgery, data injection and script injection. During this demonstration, I will explain the associated threats in detail and discuss means to mitigate these threats. Even though the test application validates the attack surface, the question remains: how many applications actually deployed are vulnerable to these threats? I will answer this question by providing astonishing statistics about vulnerable, real world applications I was able to find using simple Google queries.