23 March 2009
The HP Web Security Research Group today released HP SWFScan, a free security tool for Windows that helps developers find security vulnerabilities in applications developed with the Adobe Flash Platform. We have found that developers building applications with the Flash Platform often leave security vulnerabilities unintentially in their code. Our group decided to develop SWFScan to help not only our customers but also developers around the world make the web a safer place.
We have researched the security of applications built with the Flash Platform for quite some time. When we started, we looked at 250 applications and found that 15% had usernames or passwords hard-coded inside the code. Hackers can use open-source decompilers to view the code, find the passwords, and do basically whatever they want.
Many of these security issues are the same as those found in other web applications, such as improper input validation, information leakage, improper configurations, and injection of script which results in vulnerabilities like exposure of confidential data, cross-site scripting, and cross-domain privilege escalation. Too many developers hard-code access information such as passwords, encryption keys, or database information directly into their SWF-based applications. Watch this lighthearted video from HP, Billy Wins a Cheeseburger to see how hackers can exploit this vulnerability.
Throughout our development of SWFScan, we tested about 4,000 SWF files and found the following issues to be the most alarming:
SWFScan helps you find, fix, and prevent security vulnerabilities in your SWF applications and deliver more secure code without having to become a security expert. This tool is the first of its kind to decompile SWF files and perform static analysis to understand their behaviors. This helps identify vulnerabilities that lie under the surface of an application and are not otherwise detectable with traditional dynamic methods.
SWFScan can analyze any SWF file regardless of the Flash Player version for which it was targeted or version of ActionScript with which it was authored. Whether the SWF is located on your local computer or available via a public URL, SWFScan will decompile the bytecode and perform static analysis on it to understand the application's behavior and then check for known security issues.
SWFScan pinpoints the specific vulnerability in the code, describes how it can be exploited, and suggests remediation. We worked with Adobe specifically to ensure that our suggestions for fixing the code are in line with Adobe's security best practices.
SWFScan looks only at SWF applications that run inside the browser; it does not look at components that run on the server. To conduct a complete security assessment of your applications, HP provides a suite of software and services for testing applications throughout the application lifecycle. Visit us at hp.com/go/securitysoftware to find out more.
For more information on HP's SWF security research, download the slides from my presentation at ShmooCon 2009:
Also visit the HP newsroom to read a copy of the HP SWFScan press release.