Port scanning in ActionScript 3.0 without DNS rebinding
In AS3 Adobe introduced a new socket-related event called SecurityErrorEvent. This event is always thrown when a Flash Player tries to connect to a socket that it is not allowed to connect to.
The Problem with the SecurityErrorEvent is that it's thrown immediately when a Flash Player tries to connect to a closed TCP port. If a service is listening on that port the Flash Player writes the string "
" and waits for response from the service. Nearly no TCP-service will respond to this request.
We can assume the following: When trying to connect to a socket that the SWF is not allowed to and it doesn't get a SecurityErrorEvent within 2 seconds the port is most likely open.
A new Flash player instance is used for every probed port because the Flash Player sends only one policy-file request per player per host per port.