Yesterday, I watched Prajakta Jagdale’s Blinded by Flash talk from Black Hat DC 2009. It started rather slow (hardcoded user credentials in the SWF file, unitialised _root parameters, parameter injection with flashvars etc.) but started to get really interesting towards the end of the talk. There she mentioned fun things like metadata injection, defeating decompilers by changing the SWF bytecode and her new tool, SWFScan.
When I first heard about SWFScan I instantly disregarded it because of the first sentence on hp’s web page about it:
“HP SWFScan, a free tool developed by HP Web Security Research Group, will automatically find security vulnerabilities in applications built on the Flash platform.”
I just thought “meh, another vulnerability scanner” and didn’t think twice about it. But I was wrong. Yes, SWFScan can do static analysis on your SWF file, but it will also decompile it and show you the result in a neat overview, automatically grab URLs, shows you frame properties, do syntax highlighting etc. Until now, I’ve always used Flare to decompile SWFs, but it’s not maintained any longer and has one major drawback: it doesn’t decompile ActionScript 3 code. SWFSCan does. And with the nice tree view of the frames etc., analysing flash files isn’t that much of a PITA any more. There’s only one major problem with it: It’s Windows only. And requires the DotNet Framework 2.0. So I had to whip out VirtualBox and install it in a VM. Could someone at hp please at least port this to Mono…?