Re: Flash Web Application

[Steve Pinkham <steve.pinkham () gmail com>]

david lodge wrote:
> > I want to learn pentesting flash web application. The authentication
> > also using flash. Any hint where I should start to pentest flash web
> > application?
> >
> > Can I use webscarab to see what happen on the site?
>
> Get a good flash disassembler. You can get flare and flasm for free
> (open source), but these are limited to as2 and don't support as3. The
> other alternatives are SoThink's SWFdecompiler and ASV (both
> commercial). SWFscan from HP is good, but I've had varying success
> from it and prefer to do it by hand :-)

So far we've found SWFscan to be a good decompiler, but a lousy 
vulnerability finder, for what it's worth.  It's a fine tool so long as 
you realize the limitations.  It does claim to do much more then it 
actually does...

Manual code auditing, proxies, and even swfintruder(when properly set up 
with the right flash and FF version) find many flaws SWFscan miss.  It 
is a pretty and easy to use decompiler though, and gives warnings on 
information leakage time vulns.
--
 | Steven E. Pinkham                      |
 | Security Researcher, Maven Security    |
 | http://www.mavensecurity.com           |
 | GPG public key ID CD31CAFB             |

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------