Reducing the risk of malicious web attacks with HP SWFScan

The HP Web Security Research Group today released HP SWFScan, a free security tool for Windows that helps developers find security vulnerabilities in applications developed with the Adobe Flash Platform. We have found that developers building applications with the Flash Platform often leave security vulnerabilities unintentially in their code. Our group decided to develop SWFScan to help not only our customers but also developers around the world make the web a safer place.

• Download HP SWFScan (Windows only)

We have researched the security of applications built with the Flash Platform for quite some time. When we started, we looked at 250 applications and found that 15% had usernames or passwords hard-coded inside the code. Hackers can use open-source decompilers to view the code, find the passwords, and do basically whatever they want.

Many of these security issues are the same as those found in other web applications, such as improper input validation, information leakage, improper configurations, and injection of script which results in vulnerabilities like exposure of confidential data, cross-site scripting, and cross-domain privilege escalation. Too many developers hard-code access information such as passwords, encryption keys, or database information directly into their SWF-based applications. Watch this lighthearted video from HP, Billy Wins a Cheeseburger, to see how hackers can exploit this vulnerability.

Throughout our development of SWFScan, we tested about 4,000 SWF files and found the following issues to be the most alarming:

• 16% of SWF applications targeting Flash Player 8 and earlier have XSS vulnerabilities
• 77% of SWF applications targeting Flash Player 9 and 10 contain developer debugging information and source code file references
• 35% of all SWF applications violate Adobe's security best practices

SWFScan helps you find, fix, and prevent security vulnerabilities in your SWF applications and deliver more secure code without having to become a security expert. This tool is the first of its kind to decompile SWF files and perform static analysis to understand their behaviors. This helps identify vulnerabilities that lie under the surface of an application and are not otherwise detectable with traditional dynamic methods.

SWFScan can analyze any SWF file regardless of the Flash Player version for which it was targeted or version of ActionScript with which it was authored. Whether the SWF is located on your local computer or available via a public URL, SWFScan will decompile the bytecode and perform static analysis on it to understand the application's behavior and then check for known security issues.

SWFScan pinpoints the specific vulnerability in the code, describes how it can be exploited, and suggests remediation. We worked with Adobe specifically to ensure that our suggestions for fixing the code are in line with Adobe's security best practices.

Where to go from here

SWFScan looks only at SWF applications that run inside the browser; it does not look at components that run on the server. To conduct a complete security assessment of your applications, HP provides a suite of software and services for testing applications throughout the application lifecycle. Visit us at hp.com/go/securitysoftware to find out more.

For more information on HP's SWF security research, download the slides from my presentation at ShmooCon 2009:

• Blinded by Flash: Widespread security risks Flash developers don't see

Also visit the HP newsroom to read a copy of the HP SWFScan press release.