HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Exposing Flash Application Vulnerabilities with SWFScan

After months of hard work and late caffeine-fueled nights, HP’s Web Security Research Group is proud to release HP SWFScan.

HP SWFScan is a free Windows-based security tool to help developers find and fix security vulnerabilities in applications developed with the Adobe Flash Platform. The tool is the first of its kind to decompile applications developed with the Flash platform and perform static analysis to understand their behaviors. This helps developers without security backgrounds identify vulnerabilities hidden within the application which cannot be detected with dynamic analysis methods.

Simply, point HP SWFScan at the SWF file for any Flash application and it will:

  • Decompile the ActionScript 2 or ActionScript 3 bytecode back to the original source code.

  • Audit the code for over 60 vulnerabilities including exposure of confidential data, Cross-Site Scripting (XSS) and cross-domain privilege escalation.

  • Validate the Flash application adherence with Adobe's security best practices.

HP SWFScan is not the first free Flash tool. Excellent decompilers such as Flare or OWASP’s SWFIntruder security tool have existed for a few years now. Unfortunately, the capabilities of free tools have not kept up with new Flash innovations such as the introduction of Flash 9 and 10, ActionScript 3, and Adobe’s Flex framework. HP’s SWFScan is the first and only free tool to decompile both ActionScript 2 and ActionScript 3 and analyze them for security vulnerabilities.

In addition, HP SWFScan offers several other features to help developers, code auditor/reviewers, and pen-testers examine the contents of Flash applications, including:

  • Highlighting the line of source code that contains the vulnerability to help better understand the context of the issue.

  • Providing summaries, details and remediation advice for each vulnerability in accordance with Adobe’s recommendation for secure Flash development.

  • Generating a vulnerability report to share and solve the detected issues.

  • Exporting the decompiled source code for use with other external tools.

  • Revealing all the URLs and web services the Flash Application contacts.

  • Flagging class names, function names, or variable names that may be of interest such as loadedUserXml or crypt()

While developing HP SWFScan, we downloaded and audited over 4000 Flash applications. We encountered numerous insecure applications and collected some interesting statistics:

  • Of 250 Flash applications we tested that had a login form 15% had user names or passwords hard-coded inside the application code.

  • 16% of SWF applications targeting Flash Player 8 and earlier contained XSS vulnerabilities.

  • 35% of all SWF applications violated Adobe's security best practices.

  • 77% of SWF applications targeting Flash Player 9 and 10 contained developer debugging information and source code file references.

(You can learn more about how we got these figures in our SWFScan FAQ)

A few things to note: HP SWFScan only looks at the portion a Flash applications that runs inside the browser. This is the SWF file that contains the Flash code Adobe's Flash player executes. It does not look at the components that run on the server. To conduct a complete security assessment of your applications, HP provides a suite of software and services for testing applications throughout the application lifecycle.

Download HP SWFScan

Need Support or have a question about SWFScan? Visit our SWFScan Forum.

Video explanation of a Flash Attack: (AKA, Billy wins a Cheeseburger)

Prajakta Jagdale at ShmooCon: Blinded by Flash - Widespread Security Risks Flash Developers Don't See

ShmooCon begins today in DC, and as usual, they have lined up an informative and topical schedule of security talks. The HP Web Security Research Group's own Prajakta Jagdale is scheduled to speak on Saturday at 2pm about the security of applications developed using the Adobe Flash Platform. Prajakta and the group have completed an in-depth research project where they studied numerous applications built on the Adobe Flash Platform and found that many of the security issues that are common in Web applications also exist in applications developed with Adobe Flash. Here is an overview of Prajakta's ShmooCon talk and a little bit about her background: In a rush to adopt the dazzling Flash technology, website developers tend to use quick and dirty hacks to get their applications to work and in the process sidestep any security features provided by the technology. The presentation will look at applications built on the Adobe Flash Platform encountered in the wild that are a result of insecure development practices and demonstrate the ease with which they can be compromised. Prajakta Jagdale is a Research Engineer with the HP Web Security Research Group. Her current research efforts are concentrated towards identifying security risks associated with RIA technologies. This research involves developing innovative techniques to enable automated web assessment tools to crawl and analyze RIA applications through the use of both static source code analysis and dynamic runtime analysis.


More information about her presentation can be found here: http://www.shmoocon.org/presentations-all.html



Tags: SWFScan
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.