Comments for SWFScan - First Look (http://www.insideria.com/2009/03/swfscan---first-look.html)

SWFScan - First Look

2009-03-24T22:09:32Z

I've seen several blog posts recently announcing SWFScan, a free tool from HP for decompiling and inspecting swf files for security vulnerabilities. In this post, we'll take a quick glance at what the tool can do for you.

From the HP site:

HP SWFScan, a free tool developed by HP Web Security Research Group, will automatically find security vulnerabilities in applications built on the Flash platform.

My initial experience is that this is a very easy to use AS2 and AS3 swf decompiler. You just point it at a file or URL, and it will decompile it. It will also analyze the swf to detect any embedded URLS, and more importantly any potential security threats (Database connection strings, passwords, debug messaging, cross site scripting vulnerabilities, etc..). This could be useful if you are auditing your own applications, or if you are inheriting a legacy application and want to find any weaknesses in it.

Just to test it out, I pointed it at acrobat.com, and below is an example of what I found. Had there been any vulnerabilities on that site, then they would show up in the vulnerabilities frame on the lower right.

You have the ability to export source for the application, generate vulnerability reports, and there are lots of options for code inspection. It is a free download from HP, so you go try it out for yourself, and ensure that your own applications are safe and secure.

Comment from Chris on 2009-03-24

2009-03-25T00:30:06Z

..But not available for Mac...

Comment from Andrew Trice on 2009-03-24

2009-03-25T00:38:03Z

Yeah, looks like it is Windows only - forgot to mention that.

Comment from Vipin on 2009-03-25

2009-03-25T21:53:34Z

So, all code is open..and tool which do it so easily?

Comment from JMC on 2009-03-25

2009-03-26T00:34:52Z

Couldn't help but think it was a tool that could make exploiting .swfs a lot quicker and easier too...

Comment from Mike Slinn on 2009-03-26

2009-03-27T04:51:33Z

When I point it at acrobat.com I get "Malformed SWF header". I tried various incantations of the URL. What URL did you use?

Comment from Andrew Trice on 2009-03-27

2009-03-27T12:34:34Z

You have to use the direct URL to the swf file: https://www.acrobat.com/adc.swf

Also, after it loads, you have to hit the "analyze" button to get the potential vulnerabilities to show up.

Comment from Vinoth on 2009-03-29

2009-03-30T06:12:47Z

Most of the features of this tool is similar to Actionscript viewer

Comment from Andrew on 2009-06-29

2009-06-29T07:11:21Z

In case anyone is using secureSWF to obfuscate their AS code -- the code is still obfuscated when decompiled with HP's SWFscan. I tried it out with one of my own swf's to confirm.