Adobe
Products
Acrobat
Creative Cloud
Creative Suite
Digital Marketing Suite
Digital Publishing Suite
Elements
Photoshop
Touch Apps
Student and Teacher Editions
More products
Solutions
Creative tools for business
Digital marketing
Digital media
Education
Financial services
Government
Web Experience Management
More solutions
Learning Help Downloads Company
Buy
Home use for personal and home office
Education for students, educators, and staff
Business for small and medium businesses
Licensing programs for businesses, schools, and government
Special offers
Search
 
Info Sign in
Welcome,
My cart
My orders My Adobe
My Adobe
My orders
My information
My preferences
My products and services
Sign out
Why sign in? Sign in to manage your account and access trial downloads, product extensions, community areas, and more.
Adobe
Products Sections Buy   Search  
Solutions Company
Help Learning
Sign in Sign out My orders My Adobe
Preorder Estimated Availability Date. Your credit card will not be charged until the product is shipped. Estimated availability date is subject to change. Preorder Estimated Availability Date. Your credit card will not be charged until the product is ready to download. Estimated availability date is subject to change.
Qty:
Purchase requires verification of academic eligibility
Subtotal
Review and Checkout
Adobe Developer Connection / Flash Player Developer Center /

Reducing the risk of malicious web attacks with HP SWFScan

by Prajakta Jagdale

Prajakta Jagdale
  • Web Security Research Group

Created

23 March 2009

Page tools

Share on Facebook
Share on Twitter
Share on LinkedIn
Bookmark
Print
Flash Player security SWF testing

Requirements

User level

All

The HP Web Security Research Group today released HP SWFScan, a free security tool for Windows that helps developers find security vulnerabilities in applications developed with the Adobe Flash Platform. We have found that developers building applications with the Flash Platform often leave security vulnerabilities unintentially in their code. Our group decided to develop SWFScan to help not only our customers but also developers around the world make the web a safer place.

  • Download HP SWFScan (Windows only)

We have researched the security of applications built with the Flash Platform for quite some time. When we started, we looked at 250 applications and found that 15% had usernames or passwords hard-coded inside the code. Hackers can use open-source decompilers to view the code, find the passwords, and do basically whatever they want.

Many of these security issues are the same as those found in other web applications, such as improper input validation, information leakage, improper configurations, and injection of script which results in vulnerabilities like exposure of confidential data, cross-site scripting, and cross-domain privilege escalation. Too many developers hard-code access information such as passwords, encryption keys, or database information directly into their SWF-based applications. Watch this lighthearted video from HP, Billy Wins a Cheeseburger, to see how hackers can exploit this vulnerability.

Throughout our development of SWFScan, we tested about 4,000 SWF files and found the following issues to be the most alarming:

  • 16% of SWF applications targeting Flash Player 8 and earlier have XSS vulnerabilities
  • 77% of SWF applications targeting Flash Player 9 and 10 contain developer debugging information and source code file references
  • 35% of all SWF applications violate Adobe's security best practices

SWFScan helps you find, fix, and prevent security vulnerabilities in your SWF applications and deliver more secure code without having to become a security expert. This tool is the first of its kind to decompile SWF files and perform static analysis to understand their behaviors. This helps identify vulnerabilities that lie under the surface of an application and are not otherwise detectable with traditional dynamic methods.

SWFScan can analyze any SWF file regardless of the Flash Player version for which it was targeted or version of ActionScript with which it was authored. Whether the SWF is located on your local computer or available via a public URL, SWFScan will decompile the bytecode and perform static analysis on it to understand the application's behavior and then check for known security issues.

SWFScan pinpoints the specific vulnerability in the code, describes how it can be exploited, and suggests remediation. We worked with Adobe specifically to ensure that our suggestions for fixing the code are in line with Adobe's security best practices.

Where to go from here

SWFScan looks only at SWF applications that run inside the browser; it does not look at components that run on the server. To conduct a complete security assessment of your applications, HP provides a suite of software and services for testing applications throughout the application lifecycle. Visit us at hp.com/go/securitysoftware to find out more.

For more information on HP's SWF security research, download the slides from my presentation at ShmooCon 2009:

  • Blinded by Flash: Widespread security risks Flash developers don't see

Also visit the HP newsroom to read a copy of the HP SWFScan press release.

More Like This

  • Overview of the Flash Player 10.3.183 Security Update
  • Overview of the Flash Player 11.1.102 Security Update
  • Your privacy and Adobe Flash Player
  • SWF searchability FAQ: Enhanced search indexing of SWF content
  • Detecting Flash Player versions and embedding SWF files with SWFObject 2
  • Private browsing in Flash Player
  • Cirrus service for developing end-to-end applications using RTMFP in Flash Player 10
  • Overview of the Flash Player 10.2.152 Security Update
  • Understanding the security changes in Flash Player 10.1 and AIR 2
  • Cross-domain policy file usage recommendations for Flash Player

Products

  • Acrobat
  • Creative Cloud
  • Creative Suite
  • Digital Marketing Suite
  • Digital Publishing Suite
  • Elements
  • Mobile Apps
  • Photoshop
  • Touch Apps
  • Student and Teacher Editions

Solutions

  • Digital marketing
  • Digital media
  • Web Experience Management

Industries

  • Education
  • Financial services
  • Government

Help

  • Product help centers
  • Orders and returns
  • Downloading and installing
  • My Adobe

Learning

  • Adobe Developer Connection
  • Adobe TV
  • Training and certification
  • Forums
  • Design Center

Ways to buy

  • For personal and home office
  • For students, educators, and staff
  • For small and medium businesses
  • For businesses, schools, and government
  • Special offers

Downloads

  • Adobe Reader
  • Adobe Flash Player
  • Adobe AIR
  • Adobe Shockwave Player

Company

  • News room
  • Partner programs
  • Corporate social responsibility
  • Career opportunities
  • Investor Relations
  • Events
  • Legal
  • Security
  • Contact Adobe
Choose your region United States (Change)
Choose your region Close

North America

Europe, Middle East and Africa

Asia Pacific

  • Canada - English
  • Canada - Français
  • Latinoamérica
  • México
  • United States

South America

  • Brasil
  • Africa - English
  • Österreich - Deutsch
  • Belgium - English
  • Belgique - Français
  • België - Nederlands
  • България
  • Hrvatska
  • Česká republika
  • Danmark
  • Eastern Europe - English
  • Eesti
  • Suomi
  • France
  • Deutschland
  • Magyarország
  • Ireland
  • Israel - English
  • ישראל - עברית
  • Italia
  • Latvija
  • Lietuva
  • Luxembourg - Deutsch
  • Luxembourg - English
  • Luxembourg - Français
  • الشرق الأوسط وشمال أفريقيا - اللغة العربية
  • Middle East and North Africa - English
  • Moyen-Orient et Afrique du Nord - Français
  • Nederland
  • Norge
  • Polska
  • Portugal
  • România
  • Россия
  • Srbija
  • Slovensko
  • Slovenija
  • España
  • Sverige
  • Schweiz - Deutsch
  • Suisse - Français
  • Svizzera - Italiano
  • Türkiye
  • Україна
  • United Kingdom
  • Australia
  • 中国
  • 中國香港特別行政區
  • Hong Kong S.A.R. of China
  • India - English
  • 日本
  • 한국
  • New Zealand
  • 台灣

Southeast Asia

  • Includes Indonesia, Malaysia, Philippines, Singapore, Thailand, and Vietnam - English

Copyright © 2012 Adobe Systems Incorporated. All rights reserved.

Terms of Use | Privacy Policy and Cookies (Updated)

Ad Choices

Reviewed by TRUSTe: site privacy statement