The HP Web Security Research Group published the HP SWFScan tool - a tool, that will automatically find security vulnerabilities in applications built on the Flash platform. Right now the tool is available for Windows only. Here’s what Prajakta Jagdal of the HP Web Security Research Group has to say about SWFScan:
SWFScan helps you find, fix, and prevent security vulnerabilities in your SWF applications and deliver more secure code without having to become a security expert. This tool is the first of its kind to decompile SWF files and perform static analysis to understand their behaviors. This helps identify vulnerabilities that lie under the surface of an application and are not otherwise detectable with traditional dynamic methods.
SWFScan can analyze any SWF file regardless of the Flash Player version for which it was targeted or version of ActionScript with which it was authored. Whether the SWF is located on your local computer or available via a public URL, SWFScan will decompile the bytecode and perform static analysis on it to understand the application’s behavior and then check for known security issues.
The HP experts worked with Adobe to ensure that the suggestions for fixing the code are in line with Adobe’s security best practices. HP’s involvment with Flash technology is another sign that Flash has made it into the enterprise software world, as one of the most common runtimes for RIAs and desktop applications based on Flex/Adobe AIR.
HP established a forum for SWFScan, where experts and community members can discuss the tool and Flash security issues.
