HP has released a free static-analysis tool designed to find vulnerabilities in applications developed on the Adobe Flash platform. But HP SWFScan is no security geek plaything.
It’s meant specifically for developers without much in the way of security training.
The tool is the brainchild of the company’s Web Security Research Group, headed by Billy Hoffman, an experienced application security researcher. SWFScan has a variety of capabilities, including the ability to decompile any Flash application, scan it for more than 60 common flaws and check for compliance with Adobe’s security recommendations.
In addition, HP SWFScan offers several other features to help developers, code auditor/reviewers, and pen-testers examine the contents of Flash applications, including:
- Highlighting the line of source code that contains the vulnerability to help better understand the context of the issue.
- Providing summaries, details and remediation advice for each vulnerability in accordance with Adobe’s recommendation for secure Flash development.
- Generating a vulnerability report to share and solve the detected issues.
- Exporting the decompiled source code for use with other external tools.
- Revealing all the URLs and web services the Flash Application contacts.
- Flagging class names, function names, or variable names that may be of interest such as loadedUserXml or crypt()
In his blog post, Hoffman mentions that SWFScan only audits the Flash code that runs in the browser, not the server-side code. HP’s team tested the tool on about 4,000 Flash applications and found that 35% of them violated Adobe’s security best practices and that 77% of applications targeting Flash Player 9 or 10 contained developer debugging information and references to source code files.