Tuesday 2 July 2013

Penetration Testing Flex/Flash Web App - The Relaxing Way

HP SWFScan, a free tool developed by HP Web Security Research Group, will automatically find security vulnerabilities in applications built on the Flash platform.

*Disclaimer: I am not a Web Developer or an expert for Adobe Flash/Flex but i received a Web App engagement involving a website that uses only Adobe Flash/Flex hence my search thru the internet to find the easiest way to analyze flash/flex codes....

Download the SWFScan from here:
http://h30499.www3.hp.com/t5/Following-the-Wh1t3-Rabbit/SWFScan-FREE-Flash-decompiler/ba-p/5440167#.UdLgmvlvDO0


Run the SWFscan.exe


The options and the list of checks


Input the URL with the extension .swf and click Get. It will decompile the .swf file and list down the codes. You could also provide the path of the extracted .swf files. To do that, refer to this:
http://securityg33k.blogspot.sg/2013/07/swf-files-how-to-extract-them-using.html


If the link placed has no .swf as the extension, you will get the following error.


To analyze the codes, simply click Analyze


When analysis has been performed, it will highlight the lines on the left in Red. Clicking on it will show the possible vulnerability in the codes. One the right pane, it also shows the Summary of the vulnerability, the fix and the references that we can refer to.


Other than that, SWFScan can perform the following as well
- Export the Source Code
- Export the URLs
- Create Vulnerability Report


More info:

No comments:

Post a Comment