Slashdot Mirror

← Back to Stories (view on slashdot.org)

HP's Free Adobe Flash Vulnerability Scanner

Posted by kdawson on from the practicing-safe-flash dept.

Catalyst writes "SWFScan is a free Flash security tool (download here), released by HP Software, which decompiles all versions of Flash and scans them for over 60 security vulnerabilities. The scan detects things like XSS, SQL inside of the Flash app, hard-coded authentication credentials, weak encryption, insecure function calls, cross-domain privilege escalation, and violations of Adobe's security recommendations. There is also this video explaining a real, and amusing, attack against a Flash app. These issues are fairly widespread, with over 35% of SWF applications violating Adobe security advice."

7 of 82 comments (clear)

  1. SFWScan by MrEricSir · · Score: 4, Funny

    Can they also make SFWScan?

    That would help avoid potentially embarrassing situations at work.

    --
    There's no -1 for "I don't get it."
  2. What good is it? by frovingslosh · · Score: 5, Interesting

    Unless they make it into a Firefox plug-in that checks the flash code before running it, just what good is this?

    --
    I'm an American. I love this country and the freedoms that we used to have.
  3. Re:Wonder when they will release ... by ShadowRangerRIT · · Score: 4, Insightful

    Paranoid much? This is for Flash developers to avoid doing stupid things with an app that endangers their site, perhaps with a few checks to help avoid exposing their customers to additional risk. Why on Earth do you think there is an ulterior motive here?

    Keep in mind there are already loads of .NET security analyzers out there. TFA notes that the current Flash analyzers are frequently not up to date with the latest Flash releases. Is it so horrible of them to try and be helpful?

    --
    $_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
  4. It would have been nice by Jane+Q.+Public · · Score: 4, Informative

    if the post -- or even the site -- had mentioned that the tool was for Windows only, so that I did not have to register first and then find out.

  5. This is the tool Prajakta Jagdale spoke about.. by Jeff+Moss · · Score: 4, Informative
    At Black Hat D.C. last month Prajakta Jagdale spoke about HP developing this tool in her presentation:

    "Blinded by Flash: Widespread Security Risks Flash Developers Don't See"

    From the presentations description:
    "In this presentation I will examine the Flash framework and then delve into the Flash security model and the transitions it has undergone over the years. To explore the avenues of compromise in the security model, I will use a test Flash application and demonstrate various attack vectors including Cross-Site Request Forgery, data injection and script injection. During this demonstration, I will explain the associated threats in detail and discuss means to mitigate these threats. Even though the test application validates the attack surface, the question remains: how many applications actually deployed are vulnerable to these threats? I will answer this question by providing astonishing statistics about vulnerable, real world applications I was able to find using simple Google queries."

    The pdf of her presentation is here:
    https://www.blackhat.com/presentations/bh-dc/Jagdale/BlackHat-DC-09-Jagdale-Blinded-by-Flash.pdf

  6. Youtube by JJman · · Score: 5, Interesting

    So naturally my first thought was, I wonder how well youtube does.
    And lo: it's got 7 vulnerabilities.

    It's interesting how this behemoth of a flash provider is still not secure.
    *reaches for tinfoil hat*

  7. Clarification by krappie · · Score: 4, Informative

    SWFScan is a free Flash security tool (download here), released by HP Software, which decompiles all versions of Flash and scans them for over 60 security vulnerabilities.

    It sounds like SWFScan actually scans flash SWF files, not flash itself like the post suggests.