HP's Free Adobe Flash Vulnerability Scanner

Catalyst writes "SWFScan is a free Flash security tool (download here), released by HP Software, which decompiles all versions of Flash and scans them for over 60 security vulnerabilities. The scan detects things like XSS, SQL inside of the Flash app, hard-coded authentication credentials, weak encryption, insecure function calls, cross-domain privilege escalation, and violations of Adobe's security recommendations. There is also this video explaining a real, and amusing, attack against a Flash app. These issues are fairly widespread, with over 35% of SWF applications violating Adobe security advice."

What good is it?

[frovingslosh]

Unless they make it into a Firefox plug-in that checks the flash code before running it, just what good is this?

Youtube

[JJman]

So naturally my first thought was, I wonder how well youtube does.
And lo: it's got 7 vulnerabilities.

It's interesting how this behemoth of a flash provider is still not secure.
*reaches for tinfoil hat*

Re:Youtube

[phase_9]

I ran this app on my own Flash App (http://moshimonsters.com/) and it produced a plethora of "Vulnerabilities" - and really dangerous ones too like "Interesting Variable Name" (a variable named "masterList") and "Possible userdata information" (a constant named "LOGGED_IN")... To be honest this seems like a lot of FUD being generated by HP - I mean just go look at the dailyWTF and you'll see programmers butting SQL statements in javascript! Still, I must give credit where it's due and thank HP for providing one of the most thorough SWF decompilers I have seen for free.