Penetration Testing mailing list archives

Re: Flash Web Application

From: Todd Haverkos <infosec () haverkos com>
Date: Wed, 27 Jan 2010 16:10:11 -0600

Zaki Akhmad <zakiakhmad () gmail com> writes:

Hello,

I want to learn pentesting flash web application. The authentication
also using flash. Any hint where I should start to pentest flash web
application?

Can I use webscarab to see what happen on the site?


Hi Zaki, 

Rafal Los from HP SPI did a great demo session at Chicagocon last year
that showed off SWFScan, a free actionscript decompiler.  Amazing how
many people are doing very silly things in Flash that they shouldn't.
You can get it for free here:

https://h30406.www3.hp.com/campaigns/2009/wwcampaign/1-5TUVE/index.php?key=swf

I bet you break the application's authentication by tomorrow.  

Also relevant  is the Billy Wins a Cheeseburger demo, also from HP:
     http://www.youtube.com/watch?v=_bHtGD3qUVg


Best Regards, 
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

Flash Web Application Zaki Akhmad (Jan 27)
- Re: Flash Web Application Justin Rogosky (Jan 28)
- Re: Flash Web Application Todd Haverkos (Jan 28)
- Re: Flash Web Application Samantha Fetter (Jan 28)
- Re: Flash Web Application Nikhil Wagholikar (Jan 28)