Smashing Flash Applications

11 03 2012

Episode. 0X00
When we perform penetration testing against web applications, Flash embedded objects are in our scope. Even the stakeholder did not refer it in details, it is an interesting target. More importantly, if the business logic depends on Flash object, the whole target could be defeated.

If I have enough time, I will be back, and describe what I have done when dealing with juicy flash object. Well, sometimes it could be difficult if the luck is not on your side.

Favourite tools

  • sothink swf decompiler — reverse engineering its objects and action script
  • CheatEngine — good for cheating especially on games
  • any hex editors : 010 Hex editor— is ok, but not free. HxD is not bad
  • Project SIKULI — Visual technology by MIT, easy to use, very cool ideas, and great for automation. You could write an easy BOT with this tool.
  • Adobe Flash Investigator — A swiss army knife for smashing swf object released by Adobe. This only tool could somehow substitute all above tools I referred to.
  • Flash Exploitation Database — by Jason Calvert of WhiteHat Security Inc.
  • Assessing, testing and validating Flash content in OWASP AppSec 2010
  • See you, then!



    Leave a Reply

    Fill in your details below or click an icon to log in: Logo

    You are commenting using your account. Log Out /  Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out /  Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out /  Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out /  Change )


    Connecting to %s

    %d bloggers like this: