Exposing Flash Application Vulnerabilities with SWFScan

After months of hard work and late caffeine-fueled nights, HP’s Web Security Research Group is proud to release HP SWFScan.


HP SWFScan is a free Windows-based security tool to help developers find and fix security vulnerabilities in applications developed with the Adobe Flash Platform. The tool is the first of its kind to decompile applications developed with the Flash platform and perform static analysis to understand their behaviors. This helps developers without security backgrounds identify vulnerabilities hidden within the application which cannot be detected with dynamic analysis methods.


Simply, point HP SWFScan at the SWF file for any Flash application and it will:



  • Decompile the ActionScript 2 or ActionScript 3 bytecode back to the original source code.

  • Audit the code for over 60 vulnerabilities including exposure of confidential data, Cross-Site Scripting (XSS) and cross-domain privilege escalation.

  • Validate the Flash application adherence with Adobe's security best practices.

HP SWFScan is not the first free Flash tool. Excellent decompilers such as Flare or OWASP’s SWFIntruder security tool have existed for a few years now. Unfortunately, the capabilities of free tools have not kept up with new Flash innovations such as the introduction of Flash 9 and 10, ActionScript 3, and Adobe’s Flex framework. HP’s SWFScan is the first and only free tool to decompile both ActionScript 2 and ActionScript 3 and analyze them for security vulnerabilities.


In addition, HP SWFScan offers several other features to help developers, code auditor/reviewers, and pen-testers examine the contents of Flash applications, including:



  • Highlighting the line of source code that contains the vulnerability to help better understand the context of the issue.

  • Providing summaries, details and remediation advice for each vulnerability in accordance with Adobe’s recommendation for secure Flash development.

  • Generating a vulnerability report to share and solve the detected issues.

  • Exporting the decompiled source code for use with other external tools.

  • Revealing all the URLs and web services the Flash Application contacts.

  • Flagging class names, function names, or variable names that may be of interest such as loadedUserXml or crypt()

While developing HP SWFScan, we downloaded and audited over 4000 Flash applications. We encountered numerous insecure applications and collected some interesting statistics:



  • Of 250 Flash applications we tested that had a login form 15% had user names or passwords hard-coded inside the application code.

  • 16% of SWF applications targeting Flash Player 8 and earlier contained XSS vulnerabilities.

  • 35% of all SWF applications violated Adobe's security best practices.

  • 77% of SWF applications targeting Flash Player 9 and 10 contained developer debugging information and source code file references.


(You can learn more about how we got these figures in our SWFScan FAQ)


A few things to note: HP SWFScan only looks at the portion a Flash applications that runs inside the browser. This is the SWF file that contains the Flash code Adobe's Flash player executes. It does not look at the components that run on the server. To conduct a complete security assessment of your applications, HP provides a suite of software and services for testing applications throughout the application lif....


Download HP SWFScan


Need Support or have a question about SWFScan? Visit our SWFScan Forum.


Video explanation of a Flash Attack: (AKA, Billy wins a Cheeseburger)

Comments
(anon) | ‎03-23-2009 09:41 AM

Quite slick work! Congrats colleagues!

(anon) | ‎03-23-2009 10:57 AM

Thanks

(anon) | ‎03-23-2009 12:33 PM

Pingback from  SecuraByte Episode 06:  HP SWFScan | SecuraBit

(anon) | ‎03-23-2009 02:08 PM

Your ssl cert has a problem, mister expert.

(anon) | ‎03-23-2009 08:39 PM

Pingback from  swfscan - Sicherheitscheck f??r Flash

(anon) | ‎03-24-2009 12:30 AM

Pingback from  HP ver??ffentlicht kostenloses Sicherheitswerkzeug f??r Flash-Entwickler | xobo.cc - Silvio Guder

(anon) | ‎03-24-2009 01:06 AM

Pingback from  .:: Securnetwork.net Blog - Massimo Rabbi ::.  » SWFScan: security tool gratuito da HP per gli sviluppatori Flash

(anon) | ‎03-24-2009 10:37 AM

Pingback from  HP ver??ffentlicht kostenloses Sicherheitswerkzeug f??r Flash-Entwickler | Blog von root_alpha

(anon) | ‎03-24-2009 10:56 AM

Pingback from  SWF Security Testing Tool von HP | Rich-Media Blog

(anon) | ‎03-24-2009 10:08 PM

Great tool! How about a Linux version? Most search engines and other folks who might want to run this tool on lots of websites aren't running Windows on their servers.

(anon) | ‎03-24-2009 10:09 PM

.NET 2.0 dependency?  Really?  This is a good example of why HP is such  a Sh*Ty company...  Pathetic and lazy.

(anon) | ‎03-25-2009 01:42 AM

Pingback from  SNOWBALL LABS | Previously ad2 labs

(anon) | ‎03-25-2009 12:30 PM

Pingback from  ??????????????????Adobe Flash??????????????? «  ??????IT???????????????IT?????????????????????????????????????????????????????????

(anon) | ‎03-25-2009 01:13 PM

Pingback from  iWeb Blog » iWeb Tech News Highlights: fast polling, first Linux Botnet, Flash vulnerabilities

(anon) | ‎03-25-2009 01:18 PM

Pingback from  iWeb Blog » Nouvelles Techno iWeb: serveurs de messagerie, botnet Linux, et vuln??rabilit??s Flash

(anon) | ‎03-25-2009 03:02 PM

Awesome utility!  It has unearthed some very interesting findings in some of my Flash files.  Thanks!!

(anon) | ‎03-25-2009 03:02 PM

hey, your link is broken, fix it damn you.

(anon) | ‎03-25-2009 03:19 PM

Pingback from  web-media-flash-exposure | markLtuttle

(anon) | ‎03-25-2009 04:35 PM

Pingback from  Adobe Flash Vulnerability Scanner  « Sharp Mind

(anon) | ‎03-25-2009 05:59 PM

Pingback from  What’s Been on my Mind at  aleatory

(anon) | ‎03-26-2009 03:48 PM

Pingback from  ?????????HP???????????????????????? | ????????????

(anon) | ‎03-26-2009 04:00 PM

Pingback from  Catch Security Vulnerabilities Using SwfScan

(anon) | ‎03-26-2009 11:21 PM

Pingback from  Catch Security Vulnerabilities Using SwfScan | Padub

(anon) | ‎03-27-2009 03:57 AM

Pingback from  HP SWFScan-adobe flash?????????????????????????????? | ??????

(anon) | ‎03-28-2009 07:59 AM

Pingback from  Free Baby Clipart

(anon) | ‎03-29-2009 05:35 PM

Pingback from  Exposing Flash Application Vulnerabilities with SWFScan | technichristian.net

(anon) | ‎03-29-2009 08:31 PM

Pingback from  localToGlobal  » Blog Archive   » news review -> 13th week of 2009

(anon) | ‎04-01-2009 11:20 AM

Pingback from  NS?????? » ?????????HP????????????????????????

(anon) | ‎04-02-2009 02:48 PM

Pingback from  Seguindo os padr??es de seguran??a da Adobe | Andr?? Carib??

(anon) | ‎04-03-2009 07:36 AM

Warto przeczytać: Exposing Flash Application Vulnerabilities with SWFScan. A tak to narzędzie można wykorzystać: Code in a Flash.

(anon) | ‎04-21-2009 07:48 AM

Pingback from  HP’s SWFScan does not find simple XSS in Flash Apps | SecureThoughts.com

(anon) | ‎04-27-2009 12:39 PM

Pingback from  Topics about Flash  » Exposing Flash Application Vulnerabilities with SWFScan - The HP…

(anon) | ‎05-05-2009 05:04 AM

Pingback from  Info Sec News, May 5, 2009 « InfoSec Philippines

(anon) | ‎05-15-2009 06:07 AM

Pingback from  O “HP SWFScan”: uma ferramenta da HP para auditar ficheiros Flash « Q u i n t u s

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.