Subscribe

  • Subscribe  

Catch Security Vulnerabilities Using SwfScan

Posted by Sravan | March 26, 2009 .

A week ago HP released a tool called SwfScan to help Flash developers identify security vulnerabilities in their code. SwfScan takes the path to a .SWF as input, decompiles it to source code, and analyzes the source code to identify security vulnerabilities.

SwfScan can decompile both AS2 and AS3 and using static analysis identify over 60 vulnerabilities including exposure of confidential data, cross-site scripting and cross-domain privilege escalation, and also validate the app’s adherence to Adobe’s best security practices.

The HP Web Security Research Group tested over 4000 Flash apps and found some interesting results. e.g. 77% of SWF applications targeting Flash Player 9 and 10 contained developer debugging information and source code file references.

SwfScan Screenshot

Google returned design.swf as the first result when I searched adobe.com for SWF filetypes. Written for Flash Player 9 with AS3, it falls into the statistic mentioned above. For many of the SWFs that I’ve tried SwfScan with, to set “Omit Trace Actions” to ‘true’ was the main fix recommended.

The tool is very easy to use and is quite fast. It could be another good tool to use for every Flash developer before dispatching the SWF. It takes a few minutes to download and a few seconds to scan. While SwfScan is free, it is, sorry, Windows-based. You can read more about SwfScan and download it from the HP Security Laboratory.

Leave a Comment

If you would like to make a comment, please fill out the form below.


Name

Email

Website

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word

Comments

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word


Related Posts

2 Comments so far
  1. ariel sommeria  March 27, 2009 2:38 am

    Hi Sravan,
    I find the tool interesting but I’m a bit underwhelmed by its tests. Most of what it returned for me were “be careful you have traces”. Woohoo!
    So nice start but needs to beef up up the tests
    Ariel

  2. Sravan  March 27, 2009 5:46 am

    I agree that the analysis mostly seems very generic. Its list of vulnerabilities where it points to the line number is the effective part. But yes, they do need to increase the depth and clarity, and they probably will.

<

Direct TV Offers - usdirect has the best directtv deals