HP's Free Adobe Flash Vulnerability Scanner 82
Catalyst writes "SWFScan is a free Flash security tool (download here), released by HP Software, which decompiles all versions of Flash and scans them for over 60 security vulnerabilities. The scan detects things like XSS, SQL inside of the Flash app, hard-coded authentication credentials, weak encryption, insecure function calls, cross-domain privilege escalation, and violations of Adobe's security recommendations. There is also this video explaining a real, and amusing, attack against a Flash app. These issues are fairly widespread, with over 35% of SWF applications violating Adobe security advice."
Re:What good is it? (Score:4, Insightful)
Re:Wonder when they will release ... (Score:5, Insightful)
Paranoid much? This is for Flash developers to avoid doing stupid things with an app that endangers their site, perhaps with a few checks to help avoid exposing their customers to additional risk. Why on Earth do you think there is an ulterior motive here?
Keep in mind there are already loads of .NET security analyzers out there. TFA notes that the current Flash analyzers are frequently not up to date with the latest Flash releases. Is it so horrible of them to try and be helpful?
Re:Wonder when they will release ... (Score:2, Insightful)
It's safe to assume that no one actually uses Silverlight so this would be a moot point.
Re:What good is it? (Score:0, Insightful)
That would be fucking stupid anyhow.
Flash security often overlooked (Score:3, Insightful)
Though I haven't had a chance to evaluate it just yet, I think this is a step in the right direction. Flash security is often overlooked, while Flash itself is often overused by designers who think that pretty effects make the web page. It gets especially bad when Flash is used for activities that require some sort of security, such as a login form. 99% of the time, instead of POST'ing that information to a server side script, it's handled inside the SWF file. Since these can be easily decompiled (grab a copy of Flare or any other decompiler), the password is easily revealed. I recently found a network product which went through the trouble of XOR'ing a password and storing in a text file. Two problems: the text file was in the web root, and the XOR key was inside the SWF. Tools like this can only raise awareness of these types of issues.
Re:What good is it? (Score:3, Insightful)
Unless they make it into a Firefox plug-in that checks the flash code before running it, just what good is this?
For starters, it might allow someone to make a Firefox plugin based on it.