Scanning Flash Apps For Insecurities

Did you know that a simple Flash application on your Website could be a backdoor into your network? I've always known of such insecurities in Flash applications, but until recently, I had only looked at some Flash-based malware using Flare to analyze suspected malicious SWF files. All that has all changed with HP's new SWFScan tool, which was released two weeks ago.Now, I have a new tool in my arsenal to look for security vulnerabilities in Flash apps.

SWFScan is Windows-based and freely available from the HP Website. Once downloaded and installed, use is as simple as pointing it to the URL of a Flash application (the actual ".swf" file), or opening a SWF file you've already downloaded. Click the "Get" button, followed by the "Analyze" button, to load and analyze the file. A tabbed interface shows the ActionScript source code, URLs included in the source, file properties, and any discovered vulnerabilities.

According to the HP Security Laboratory blog, SWF Scan currently audits for "over 60 vulnerabilities including exposure of confidential data, Cross-Site Scripting (XSS) and cross-domain privilege escalation." It also validates Flash apps against Adobe's best practices for security.

The first step to using the tool is to get the URL of the SWF. I usually look through the source code of the Webpage to find it, but a Web designer friend recently told me I was doing that the hard way. She showed me that Firefox's "Page Info" under the Tools menu would show a list of all media files embedded in a Web page, including the Flash SWF files. Right-click, copy the URL, paste it in SWFScan, and you're good to go.

But only scanning the few files you know about isn't enough. You're going to need to find all of the publicly known Flash files hosted on your site, or maybe your client's site if you're pentesting. A simple Google search for site:your_site.com filetype:swf should help you out with that problem. However, copying and pasting each one into SWFScan will quickly become tedious.

My first solution was a handy Python script that queries Google and outputs the URLs of the top 100 hits. With a little command-line Kung Fu using wget, I quickly had 100 SWF files for analysis. If the command line makes you queasy, I also tested the same idea with the Firefox DownThemAll Add-On, which lets you quickly download all links on a Website. It worked just as well.

At this point, you're left loading and analyzing all of the files you have downloaded. Again, it's a pretty tedious process until you get to juicy hits, like cross-site scripting or passwords found in the files. SWFScan definitely needs batch-processing capabilities.

So what do you do with your findings? Well, if you're a defender, you start beating down your developers' doors to get the issues fixed. Pentesters (attackers) might just find that crack in the defenses they can leverage to get deeper into the network.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.