Catch Security Vulnerabilities Using SwfScan
A week ago HP released a tool called SwfScan to help Flash developers identify security vulnerabilities in their code. SwfScan takes the path to a .SWF as input, decompiles it to source code, and analyzes the source code to identify security vulnerabilities.
SwfScan can decompile both AS2 and AS3 and using static analysis identify over 60 vulnerabilities including exposure of confidential data, cross-site scripting and cross-domain privilege escalation, and also validate the app’s adherence to Adobe’s best security practices.
The HP Web Security Research Group tested over 4000 Flash apps and found some interesting results. e.g. 77% of SWF applications targeting Flash Player 9 and 10 contained developer debugging information and source code file references.
Google returned design.swf as the first result when I searched adobe.com for SWF filetypes. Written for Flash Player 9 with AS3, it falls into the statistic mentioned above. For many of the SWFs that I’ve tried SwfScan with, to set “Omit Trace Actions” to ‘true’ was the main fix recommended.
The tool is very easy to use and is quite fast. It could be another good tool to use for every Flash developer before dispatching the SWF. It takes a few minutes to download and a few seconds to scan. While SwfScan is free, it is, sorry, Windows-based. You can read more about SwfScan and download it from the HP Security Laboratory.
Leave a Comment
If you would like to make a comment, please fill out the form below.
Hi Sravan,
I find the tool interesting but I’m a bit underwhelmed by its tests. Most of what it returned for me were “be careful you have traces”. Woohoo!
So nice start but needs to beef up up the tests
Ariel
I agree that the analysis mostly seems very generic. Its list of vulnerabilities where it points to the line number is the effective part. But yes, they do need to increase the depth and clarity, and they probably will.