Home  >  

SWFScan - First Look

Author photo
Andrew Trice
March 24, 2009 | | Comments (8)
AddThis Social Bookmark Button
print | listen Speech Icon

I've seen several blog posts recently announcing SWFScan, a free tool from HP for decompiling and inspecting swf files for security vulnerabilities. In this post, we'll take a quick glance at what the tool can do for you.

From the HP site:

HP SWFScan, a free tool developed by HP Web Security Research Group, will automatically find security vulnerabilities in applications built on the Flash platform.

My initial experience is that this is a very easy to use AS2 and AS3 swf decompiler. You just point it at a file or URL, and it will decompile it. It will also analyze the swf to detect any embedded URLS, and more importantly any potential security threats (Database connection strings, passwords, debug messaging, cross site scripting vulnerabilities, etc..). This could be useful if you are auditing your own applications, or if you are inheriting a legacy application and want to find any weaknesses in it.

Just to test it out, I pointed it at acrobat.com, and below is an example of what I found. Had there been any vulnerabilities on that site, then they would show up in the vulnerabilities frame on the lower right.

swfscan.png


You have the ability to export source for the application, generate vulnerability reports, and there are lots of options for code inspection. It is a free download from HP, so you go try it out for yourself, and ensure that your own applications are safe and secure.

Related Links:
SWFScan Download Page

___________________________________
Andrew Trice
Principal Architect
Cynergy Systems
http://www.cynergysystems.com

Read more from Andrew Trice. Andrew Trice's Atom feed

Comments

8 Comments

Chris said:

..But not available for Mac...

March 24, 2009 5:30 PM
Andrew Trice said:

Yeah, looks like it is Windows only - forgot to mention that.

March 24, 2009 5:38 PM
Vipin said:

So, all code is open..and tool which do it so easily?

March 25, 2009 2:53 PM
JMC said:

Couldn't help but think it was a tool that could make exploiting .swfs a lot quicker and easier too...

March 25, 2009 5:34 PM
Mike Slinn said:

When I point it at acrobat.com I get "Malformed SWF header". I tried various incantations of the URL. What URL did you use?

March 26, 2009 9:51 PM
Andrew Trice said:

You have to use the direct URL to the swf file: https://www.acrobat.com/adc.swf

Also, after it loads, you have to hit the "analyze" button to get the potential vulnerabilities to show up.

March 27, 2009 5:34 AM
Vinoth said:

Most of the features of this tool is similar to Actionscript viewer

March 29, 2009 11:12 PM
Andrew said:

In case anyone is using secureSWF to obfuscate their AS code -- the code is still obfuscated when decompiled with HP's SWFscan. I tried it out with one of my own swf's to confirm.

June 29, 2009 12:11 AM

Leave a comment


Tag Cloud

Question of the Week: Dream App

If you had an unlimited budget and unlimited resources what application would you build and why would you build it?

Answer

Latest Features

Podcasts & Screencasts

News & Events

Read more News & Events

Recommended for You

@InsideRIA on Twitter

    twitter icon Follow InsideRIA on Twitter

    Development Series

    facebook icon Facebook Application Development

    Anatomy of an Enterprise Flex RIA

    Archives

    • Or, visit our complete archive.  

    About This Site

    Welcome to the premiere community site for all things RIA sponsored by O'Reilly Media and Adobe Systems Incorporated.