Penetration Testing mailing list archives
Re: Flash Web Application
From: david lodge <resident.deity () gmail com>
Date: Tue, 2 Feb 2010 11:17:11 +0000
I want to learn pentesting flash web application. The authentication also using flash. Any hint where I should start to pentest flash web application? Can I use webscarab to see what happen on the site?
Get a good flash disassembler. You can get flare and flasm for free (open source), but these are limited to as2 and don't support as3. The other alternatives are SoThink's SWFdecompiler and ASV (both commercial). SWFscan from HP is good, but I've had varying success from it and prefer to do it by hand :-) Internally, SWF compiles to a bytecode which can easily be decompiled to Actionscript (a javascript type language). Using wireshark to trap successful and failed authentication packets is also useful. Which flash application is it? If it's something like coffeecup's password wizard, then you can break the authentication in about 3 seconds. dave ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: Flash Web Application david lodge (Feb 02)
- Re: Flash Web Application Zaki Akhmad (Feb 03)
- Re: Flash Web Application Steve Pinkham (Feb 03)
- <Possible follow-ups>
- Re: Flash Web Application Zaki Akhmad (Feb 03)
- Re: Flash Web Application lovewadhwa (Feb 03)
- Re: Flash Web Application Zaki Akhmad (Feb 03)
- Re: Flash Web Application David Howe (Feb 03)
- Re: Flash Web Application Zaki Akhmad (Feb 03)
- Re: Flash Web Application David Howe (Feb 05)
- Re: Flash Web Application Zaki Akhmad (Feb 05)
- Re: Flash Web Application David Howe (Feb 03)
- Re: Flash Web Application Todd Haverkos (Feb 05)