04-03-2009 10:28 PM
How do we scan flash applications protected by a login ? Does Swfscan support/have something like a login macro/script that can be used to direct the tool to scan the actual application ? I have been to the settings and do not find anything related.When I try to enter the url of the Flash applicaiton, it complains malformed flash application.(The URL, if entered in a browser redirects to a login page and once valid credentials are submitted takes us to the actual flash application.
Also are the features of SWFScan integrated to WebInspect 8.0 ?
04-14-2009 09:00 PM
You are correct, SWFScan does not support authentication. It expects to have unhindered access to the target SWF file.
SWFScan is a prototype tool developed by our Web Security Research
Group as a showcase of our technology innovation. With the release of
the tool we wanted to share with the industry the incredible
advancements of our research team and help move the market forward.
WebInspect 8.0 has some of these abilities – it can statically analyze,
find vulnerabilities in, and report on the more current
versions of Flash which companies use to build complex rich internet
applications on including those with business logic. This is in
contrast to the previous Flash versions (v8 and earlier) which were
primarily used by marketing teams for content delivery, which are still
supported with WebInspect’s previous abilities from 7.7.
-- Habeas Data