Matt Wood of the HP Web Security Research Group shows how a hacker can change a trade show registration price by exploiting an application security vulnerability in a cloud-based service.
Today we have released a FREE flash security tool, SWFScan (Pronounced “Swiff Scan”), that will help developers find, fix and prevent security vulnerabilities in applications developed on the Adobe Flash platform. In the last few years, especially with the release of Adobe Flex (ActionScript 3), we have seen an explosion of web sites built on or containing Adobe Flash components. (Opera Developer Center Study in October 2008 found 30-40% of web sites contained Flash) However, like with the explosion of any technology, there is also an explosion in discovery of ways that the technology has been exploited by hackers, too often developers building applications on the Adobe Flash platform leave unintended security vulnerabilities in their code. (eg. Hard coding passwords and encryption keys into their applications)
Here’s a quick video of Billy Hoffman talking of a specific example called Billy ‘Wins’ a Cheesburger:
During the research and development of HP SWFScan, the HP Web Security Research Group tested about 4,000 SWF files and found the following issues to be the most alarming:
- 16% of Flash applications using Flash 8 and below have XSS vulnerabilities
- 77% of Flash 9 and 10 applications contain developer debugging information and source code file references
- 35% of all Flash applications violate Adobe’s security best practices
So…How does it work?
HP SWFScan takes an application developed on the Adobe Flash Platform and decompiles it revealing the ActionScript source code. The tool then takes the ActionScript and performs static analysis to understand the applications behaviors. SWFScan will then identify the vulnerabilities that lie under the surface of the application which are not detectable with traditional dynamic methods. (It is also the first security tool to address both ActionScript 2 & 3)
It not only identifies the vulnerability within the code, but also describes how it can be exploited as well as suggested ways of remediating (Including Adobe’s Best Practices)
HP SWFScan can analyze any SWF file regardless of the version of Flash or ActionScript, and no matter whether it is located on your local computer or available via a URL.
The HP Web Security Research Group have developed HP SWFScan in the name of helping our customers and developers around the world make the web a safer place.
Download a FREE copy here: www.hp.com/go/swfscan