Aflax

You think that you have seen all of it but life is full with little surprises. I don’t quite well remember when I first heard of AFLAX, however today it made me think seriously about the design of AttackAPI library that I am slowly building up when I have time.

AFLAX is quite well designed JavaScript – Flash integration framework that you can use to produce SWF content on the fly. Apart from the fact that you can make some nice flashy effects, AFLAX can be used by the security aware guys to test and develop new attack vectors and of course find cure if possible.

AFLAX has nice socket functionalities which I haven’t really tried yet, apart from the demos provided on the AFLAX website which seam to be working quite well. Although crossdomain policies are still applied when using sockets, it is still very useful to have it in case somebody messed it up very badly.

Finally, here it is the one million dollar question: Do the bad guys have the technology to produce total web mayhem? Probably yes! The technology is here and it is ready for prime time criminal use. All the bad guys need to do is reuse component from that website and another one from this website – we have a mashup – a malicious mashup. They don’t even need to host their own malicious content. This operation will be handled by nice service providers such as Google, MSN/Live, Flickr to name a few. Your ISP won’t block Google because it will be almost like your local water company removing your pipes while still allowing you to wash your face.

The more I am looking into it the more I realize that things are getting worse with every single day that goes by. For me and everybody else who is interested in this type of attack vectors, all it is left a messed up instead of mashup. People still believe that XMLHttpRequest should not be restricted by dump crossdomain policies just because the third generation of web will enable some new an exciting applications to fly. At the same time bunch of exciting and quite happy worms spread around with the speed of light backdooring almost every website and machine owned by WEB2.0/3.0 evangelist.

I am not against WEB2.0, I quite like it intact, but the price to pay is too high. Unless we sort out some highly concerning security problems with todays web we should not even think about moving forward, but than that’s not up to you and me, is it?

All I know is that tomorrow I have to check my mail and also browse the web and I better be ready. Switch off JavaScript, stop Flash and Java, disable your browser completely and use only wget. Of course make sure that you are using proper terminal otherwise you will get hacked while you are dumping your favorite blog feed because someone injected special terminal characters inside which will interrupt the normal flow injecting malicious commands and then, just fraction of a second latter, releasing the flow again like nothing really has happened.