Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
HP Security

HP's Free Adobe Flash Vulnerability Scanner 82

Posted by kdawson from the practicing-safe-flash dept.
Catalyst writes "SWFScan is a free Flash security tool (download here), released by HP Software, which decompiles all versions of Flash and scans them for over 60 security vulnerabilities. The scan detects things like XSS, SQL inside of the Flash app, hard-coded authentication credentials, weak encryption, insecure function calls, cross-domain privilege escalation, and violations of Adobe's security recommendations. There is also this video explaining a real, and amusing, attack against a Flash app. These issues are fairly widespread, with over 35% of SWF applications violating Adobe security advice."
This discussion has been archived. No new comments can be posted.

HP's Free Adobe Flash Vulnerability Scanner More

HP's Free Adobe Flash Vulnerability Scanner

Comments Filter:

  • Re:What good is it? (Score:4, Insightful)

    by ShadowRangerRIT ( 1301549 ) on Tuesday March 24, 2009 @03:22PM (#27316331)
    I believe the idea is to check for Flash apps that are dangerous to the server, not the client. For example, you don't want to have the admin password to your database stored as a string inside your flash app.

  • Re:Wonder when they will release ... (Score:5, Insightful)

    by ShadowRangerRIT ( 1301549 ) on Tuesday March 24, 2009 @03:27PM (#27316403)

    Paranoid much? This is for Flash developers to avoid doing stupid things with an app that endangers their site, perhaps with a few checks to help avoid exposing their customers to additional risk. Why on Earth do you think there is an ulterior motive here?

    Keep in mind there are already loads of .NET security analyzers out there. TFA notes that the current Flash analyzers are frequently not up to date with the latest Flash releases. Is it so horrible of them to try and be helpful?

  • Re:Wonder when they will release ... (Score:2, Insightful)

    by stonedcat ( 80201 ) <hikaricore [at] gmail.com> on Tuesday March 24, 2009 @03:27PM (#27316409) Homepage

    It's safe to assume that no one actually uses Silverlight so this would be a moot point.

  • Re:What good is it? (Score:0, Insightful)

    by Anonymous Coward on Tuesday March 24, 2009 @03:28PM (#27316413)

    That would be fucking stupid anyhow.

  • Flash security often overlooked (Score:3, Insightful)

    by twistah ( 194990 ) on Tuesday March 24, 2009 @03:47PM (#27316713)

    Though I haven't had a chance to evaluate it just yet, I think this is a step in the right direction. Flash security is often overlooked, while Flash itself is often overused by designers who think that pretty effects make the web page. It gets especially bad when Flash is used for activities that require some sort of security, such as a login form. 99% of the time, instead of POST'ing that information to a server side script, it's handled inside the SWF file. Since these can be easily decompiled (grab a copy of Flare or any other decompiler), the password is easily revealed. I recently found a network product which went through the trouble of XOR'ing a password and storing in a text file. Two problems: the text file was in the web root, and the XOR key was inside the SWF. Tools like this can only raise awareness of these types of issues.

  • Re:What good is it? (Score:3, Insightful)

    by Jurily ( 900488 ) <jurily&gmail,com> on Tuesday March 24, 2009 @03:51PM (#27316771)

    Unless they make it into a Firefox plug-in that checks the flash code before running it, just what good is this?

    For starters, it might allow someone to make a Firefox plugin based on it.

Slashdot Top Deals

Old programmers never die, they just hit account block limit.

Close