HP publishes free security tool for Flash developers
Hewlett-Packard has published a free tool for detecting security vulnerabilities in Flash applications. SWFScan is a Windows-only tool for Flash developers to find and fix security vulnerabilities in applications developed with the Adobe Flash Platform.
Once directed to an SWF file for any Flash application, SWFScan will decompile the ActionScript 2, or ActionScript 3 bytecode, back to the original source code to audit it for over 60 vulnerabilities. The tool can check for several types of vulnerabilities, including exposure of confidential information, cross-domain privilege escalation and Cross-Site Scripting (XSS). The scans of the applications also check to see if the application complies with Adobe's security best practices.
According to Billy Hoffman, manager of the HP Web Security Research Group, the group downloaded and audited over 4,000 Flash applications while developing SWFScan. They found that approximately 35 per cent of all SWF applications violated Adobe's security best practices. Hoffman says that sensitive data, such as encryption keys, user names and passwords, is being stored in the client-side Flash code. Fifteen per cent of the 250 Flash applications, with a log-in form, that were tested included user names and passwords hard-coded inside of them. A video is available featuring Hoffman discussing how a Flash application vulnerability can be exploited.
The tool supports all public versions of Flash and includes features that will identify and report insecure programming, while also suggesting solutions based on Adobe's recommendations. SWFScan allows developers to audit third party applications and create reports without requiring access to the original source code. More details can be found on the SWFScan FAQ page.
- Creating more secure SWF web applications, a report from Adobe.