Penetration Testing mailing list archives
Re: Flash Web Application
From: Steve Pinkham <steve.pinkham () gmail com>
Date: Tue, 02 Feb 2010 09:00:43 -0500
david lodge wrote:
I want to learn pentesting flash web application. The authentication also using flash. Any hint where I should start to pentest flash web application? Can I use webscarab to see what happen on the site?Get a good flash disassembler. You can get flare and flasm for free (open source), but these are limited to as2 and don't support as3. The other alternatives are SoThink's SWFdecompiler and ASV (both commercial). SWFscan from HP is good, but I've had varying success from it and prefer to do it by hand :-)
So far we've found SWFscan to be a good decompiler, but a lousy vulnerability finder, for what it's worth. It's a fine tool so long as you realize the limitations. It does claim to do much more then it actually does...
Manual code auditing, proxies, and even swfintruder(when properly set up with the right flash and FF version) find many flaws SWFscan miss. It is a pretty and easy to use decompiler though, and gives warnings on information leakage time vulns.
-- | Steven E. Pinkham | | Security Researcher, Maven Security | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review BoardProve to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: Flash Web Application david lodge (Feb 02)
- Re: Flash Web Application Zaki Akhmad (Feb 03)
- Re: Flash Web Application Steve Pinkham (Feb 03)
- <Possible follow-ups>
- Re: Flash Web Application Zaki Akhmad (Feb 03)
- Re: Flash Web Application lovewadhwa (Feb 03)
- Re: Flash Web Application Zaki Akhmad (Feb 03)
- Re: Flash Web Application David Howe (Feb 03)
- Re: Flash Web Application Zaki Akhmad (Feb 03)
- Re: Flash Web Application David Howe (Feb 05)
- Re: Flash Web Application Zaki Akhmad (Feb 05)
- Re: Flash Web Application David Howe (Feb 03)
- Re: Flash Web Application Todd Haverkos (Feb 05)
- RE: Flash Web Application PortSwigger (Feb 07)