JSONP & handcrafted Flash files

I gave a talk at ASFWS 2013 about JSONP security. The purpose of my talk was to share some knowledge related to attacking and securing JSONP endpoints.

The talk started with an overview of JSONP, followed by a combination of well known and lesser known security issues.

I then talked about crafting Flash files containing only specific bytes. The purpose of such files is to CSRF the domain hosting the JSONP endpoint by injecting the Flash code as the callback parameter.

These are my notes I gathered while preparing the talk. Credits to Erling for exploring these issues with me and debugging my work.

There are three types of data providers: stateless, token based and cookie based.

For the following reasons, injecting a Flash file in the callback can lead to a CSRF.

The SWF file format specification is not strictly enforced by current Flash players.

Most compression algorithms generate "instructions", which the decompression algorithm interprets. The compression process can therefore make specific choices.

Let's imagine a run-length compression system. The string "AAAA" can be compressed as "4A", "2A,2A", "A,3A", etc. "4A" is obviously the most efficient compression, but the other options are valid too.

In general, compression algorithms are designed to create the smallest possible stream. We can however compress data in a way that only emits specific bytes.

As an example, here is valid Flash file which only uses bytes in the 0x03-0x7e range:

0000000: 4357 536a 6163 6b69 6843 5254 5464 6060  CWSjackihCRTTd``
0000010: 6030 6006 681a 3b03 437c 517e 7e09 0340  `0`.h.;.C|Q~~..@
0000020: 323e 2e7e 3e3e 4911 4060 3c0b 3046 0606  2>.~>>I.@`<.0F..
0000030: 0303 0606 0606 0606 0606 2f61 316f 6b06  ........../a1ok.
0000040: 0606 0606 0606 0706 0606 404e 0b09 12    ..........@N...
HTTP/1.1 200 OK
Date: Mon, 07 Oct 2013 20:45:39 GMT
Server: Apache
Content-Type: application/json
X-Content-Type: nosniff

/**/onTopping({... json encoded data ...})