Free tool from HP scans for Flash vulnerabilities

Hewlett-Packard has released a free development tool that finds vulnerabilities in Flash, Adobe System's widely used but occasionally buggy interactive Web technology.

The tool, SWFScan, is designed for developers without security backgrounds, the company said on one of its blogs. It was built by HP's Web Security Research Group.

"People are just starting to look at it now because Flash is a binary format and there aren't a lot of free tools that let you look at the guts," said Billy Hoffman, a manager with the security group. HP worked closely with Adobe in developing the tool, he said.

SWFScan joins other tools that can spot problems with Flash, such as Flare and SWFIntruder. But HP said SWFScan is the only one that can be used with Flash versions 9 and 10; ActionScript 3, Flash's scripting language; and Flex, an open-source Web application framework used by Adobe.

SWFScan will decompile ActionScript 2 and 3 into original source code and perform static analysis, looking for more than 60 vulnerabilities including data leakage, cross-site scripting vulnerabilities and cross-domain privilege escalation, HP said.

The tool highlights troublesome lines in source code and will also provide remediation advice. It will format a vulnerability report, as well as allow the export of source code for work in other tools, HP said.

Cybercriminals are starting to take a closer look at Flash, and if their findings are anything like HP's, they're seeing a lot of bugs. "The attackers are already building tools," Hoffman said. "[We said] let's get tools into the hands of the good guys."

While doing consulting work for a client in the restaurant industry, Hoffman developed a program that could steal encrypted credentials from a Flash object. He then figured out how to use the encryption key to make it look as if he'd won an online promotional campaign run by the restaurant. "We were able to build our own application that I like to call, "Billy Wins a Cheeseburger," he said.

The great majority of Flash applications have some kind of security problems, Hoffman added.

HP said it tested SWFScan on some 4,000 Flash applications and found that 35 percent violated Adobe's best security practices. Sixteen percent of applications for Flash player 8 and earlier contained cross-site scripting vulnerabilities. Fifteen percent of those applications with login forms had user names or passwords hard coded into the application, HP said.

HP cautioned that the tool only looks at the part of a Flash application that runs in a browser and not those parts running on a server.