Re: Flash Web Application

[david lodge <resident.deity () gmail com>]

> I want to learn pentesting flash web application. The authentication
> also using flash. Any hint where I should start to pentest flash web
> application?
>
> Can I use webscarab to see what happen on the site?

Get a good flash disassembler. You can get flare and flasm for free
(open source), but these are limited to as2 and don't support as3. The
other alternatives are SoThink's SWFdecompiler and ASV (both
commercial). SWFscan from HP is good, but I've had varying success
from it and prefer to do it by hand :-)

Internally, SWF compiles to a bytecode which can easily be decompiled
to Actionscript (a javascript type language).

Using wireshark to trap successful and failed authentication packets
is also useful.

Which flash application is it? If it's something like coffeecup's
password wizard, then you can break the authentication in about 3
seconds.

dave

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------