What is HP SWFScan?
HP SWFScan is a free (as in beer)
Flash security tool. The tool decompiles and audits applications written for
the Flash platform.
How do you pronounce HP SWFScan?
HP “SwiffScan”
Who developed this [censored]ing awesome
security tool called HP SWFScan?
SWFScan was developed by the smart guys and gals of HP's Web Security Research Group.
I have questions, feedback or comments. Who do I sent that
to?
Please report any feedback,
comments and feature requests to the forum at http://www.communities.hp.com/securitysoftware/forums/612.aspx.
Which versions of Flash will HP SWFScan
support?
All public versions of Flash as of this writing. In other words, up to and including Flash 10, though as long as SWF uses ActionScript 2 or ActionScript 3 SWFScan should continue to work.
How do I scan my Flash application?
Point it at a URL to a SWF file or
browse to a SWF file on a box and click on the “Get” button.
Can I load Flash applications from the
Internet?
Yes. Specify the URL of the SWF
file to be scanned and click ‘Get’.
Why doesn’t a link to a webpage decompile
the Flash applications on it?
There are lots of ways to include Flash objects in a webpage. Different tags, different parameters, even using JavaScript. HP SWFScan does not try and auto-magically
identify embedded SWF files in the HTML. You must do this manually. Sorry.
How does HP SWFScan find vulnerabilities?
HP SWFScan uses Static Analysis to
detect vulnerabilities.
What is Static Analysis?
Magic that was gifted to us by unicorns! Ok, so we didn't get it from unicorns, but really, read Static Analysis on Wikipedia and you'll agree about the magic thing.
Is there a way to report on the
vulnerabilities HP SWFScan finds?
Yes. Click on “Create
Vulnerability Report” under the “File” menu. Specify the name of the HTML file in
the “Save File” dialog box and click “Save”.
How do I verify the vulnerabilities HP
SWFScan finds?
When the analysis is complete, HP
SWFScan will highlight the source code that is causing the issue. Manual
verification will be required by the user.
Why do some of the vulnerabilities not have
any highlighted source associated with it?
In addition to finding
vulnerabilities associated with the ActionScript code, HP SWFScan also audits
the SWF tags in the Flash application. Improper use of SWF tags can also result
in violation of Adobe’s Security Best Practices. Such tags do not have any
ActionScript code associated with them. Therefore, these issues are reported at
the top of the decompiled source tree and do not have any ActionScript source
highlighted.
How should I fix the vulnerabilities HP
SWFScan finds?
Every issue reported by HP SWFScan
is associated with a vulnerability report that explains the cause of the issue;
the report also provides the necessary fix suggestions and supplies a list of
additional references to learn more about the detected issue. Also you can read Adobe excellent security recommendations.
How long does it take to decompile?
Depending on the size of the Flash
application being decompiled, it may take anywhere from 5 to 30 seconds.
How long does it take to audit the
application?
Depending on the size of the Flash
application being scanned, HP SWFScan may take from 10-40 seconds to audit the
application.
How much caffeine was really consumed while
developing HP SWFScan?
Approximately 439.6 kilograms of
caffeine were consumed.
How can I save the decompiled source?
Click on the File -> Export
Source Code. In the dialog box, specify the name of the file to save the
decompiled code to and click “Save”.
Where are the Flash system libraries?
HP SWFScan by default does not
decompile or audit the Flash system libraries in order to optimize decompilation
and audit time.
What are exclusions?
When compiled, the ActionScript 2
and ActionScript 3 system libraries are included in the final SWF. When
decompiling, HP SWFScan excludes the system libraries from the decompile
process. However, HP SWFScan allows the user to turn off these exclusions and
add custom exclusions. this is helpful when you wnat to exclude other, 3rd party component libraries.
How do I add exclusions?
HP SWFScan excludes packages based
on their names. To exclude a particular package, users can specify a regular expression
that matches the package name to be excluded. To specify custom exclusions,
under the Settings tab, click on “AS2 Exclusions” or “AS3 Exclusions” depending
on the version of the Flash application being decompiled.
Can I use a proxy?
Yes, you can. To specify a web
proxy, look for the Proxy tab under Settings. Only simple web proxies are
supported.
I want to search for a specific string, how
do I do that?
HP SWFScan provides a search
feature that can be accessed by clicking on the “Search” button on the main
window. The user can choose to either search the entire code or only specific
blocks of code by choosing one of the options on the left bottom corner of the
search window.
What is this “checks” thing in the Settings
Menu?
“Checks” represent the
vulnerabilities that HP SWFScan looks for during the audit. Users are allowed
to choose the “Checks” that they want to run against their applications. To do
this, look for Checks under the Settings tab and select the desired ones.
Why does the decompiled source say “//Failed
to decompile source”?
Handcrafted SWF files generally
contain control structures that cannot be correctly represented using the
ActionScript language. Blocks of code with these odd structure cannot be successfully decompiled by HP
SWFScan. However we can often decompile other parts of the SWF file. Users will be notified of such a failure by inserting the “//Failed to
decompile source” comment.
Which versions of ActionScript will HP
SWFScan support?
HP SWFScan supports ActionScript 2 and ActionScript 3.
What about ActionScript 1?
It kinda doesn't exist. Its weird. We don't understand.
Does HP SWFScan validate the vulnerabilities
it finds?
No. SWFScan is a purely static
analysis tool and does not perform any dynamics analysis to validate the
detected vulnerabilities.
How did you collect your statistics about
vulnerable Flash applications?
We collected over 5000 SWFs by searching Google using the search query
"filetype:swf" plus some random generic keywords. Of those we tested 3954. Of those 3954 Flash
applications we tested, 551 are ActionScript 3 (Flash version 9 or 10) and
3403 are Action Script 2 (Flash 8 and below).
XSS Number:
Only ActionScript 2 can contain
FlashVar-based XSS vulnerabilities. Of the 3403 AS2 Flash apps, only 633 had
code that could be XSS-able (specifically function calls to things like getUrl
with user supplied input as parameters). Of the 633, We found that 99 contains
XSS vulnerabilities. We manually confirmed these issues.
Debugging Number:
426 of the 551 Flash applications
version 9 or 10 made calls to trace() debugging function or contained debugfile
and debugline opcodes. We excluded all the standard Adobe functions and looked
only at user created code to ensure that only user supplied debugging data was
analyzed.
Best Practices Number:
1381 of the 3954 Flash applications contained at least one of the following issues defined in Adobe's Creating more secure SWF web applications:
- Contained XSS
- Contained debugging information
- Stage was too small
- Insecure Cross-domain permissions
- Obsolete/insecure protection mechanisms like PROTECT, ENABLEDEBUGGER, etc
Will HP SWFScan audit the server scripts
used by the Flash application?
No. HP SWFScan only audits the
client side code of the Flash applications.
Where can I learn more about Flash security?
A few resources that will help
users to learn about Flash security are:
http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html
http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project
Posted
03-20-2009 9:38 PM
by
pjagdale