[Owasp-testing] HP today announced HP SWFScan

Marco M. Morana marco.m.morana at gmail.com
Sun Apr 5 09:53:18 EDT 2009


I did a little research, the SWFScan tool developer is Prajakta Jagdale (HP formely SPI) his email is prajakta.jadale at hp.com 
Prajakta presented the tool at ShmooCon in Washignton DC back last February
The presentation can be found herein http://www.shmoocon.org/presentations-all.html

Maybe this presentation can be useful to compare it with OWASP SWFIntruder?.. This is what Prajakta claims: "Unfortunately, the capabilities of free tools (SWFIntruder and Flare) have not kept up with new Flash innovations such as the introduction of Flash 9 and 10, ActionScript 3, and Adobe's Flex framework. HP's SWFScan is the first and only free tool to decompile both ActionScript 2 and ActionScript 3 and analyze them for security vulnerabilities" http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2009/03/20/exposing-flash-application-vulnerabilities-with-swfscan.aspx

Regards

Marco Morana
OWASP Chapter Lead
Writing Secure Software Blogger 

----- Original Message ----- 
From: "Stefano Di Paola" <wisec at wisec.it>
To: "Matteo G.P. Flora" <mf at matteoflora.com>
Cc: "owasp-testing" <owasp-testing at lists.owasp.org>
Sent: Friday, April 03, 2009 12:41 PM
Subject: Re: [Owasp-testing] HP today announced HP SWFScan


> Guys, 
> 
> @Eoin:
> I'd say that SWFScan is a good decompiler (finally for free) for AS3
> but:
> - It seems has some issue in decompiling non Flex compiled ActionScript
>  2/3 (Example http://www.aflax.org/aflax.zip ) so it's better 
>  continue using flare when possible.
> - About the "static analysis" feature of SWFScan, it's not perfect as 
>  every static analysis tool, so the best is doing it by hand.
>  (Example: http://www.longtailvideo.com/players/jw-flv-player/)
>           if(this._config.playerId)
>            {
>                Security.allowDomain(URLUtil.pageUrl);
>            }
>  is not alerted..(too complex!)
> 
> 
> as a side note, it seems HP is a bit wayward in giving credits about the
> underlying theory in Flash issues...but everyone knows, it's quite
> common ;)
> 
> @Matteo G.P. Flora:
> No it's different!... the one from HP has 9 little neurons,
> ours has an unnumerable continuous space of Real Number of them :P
> 
> @s4tan:
> Minded Security is soo ahead that we choose a so nice logo that also in
> the past everyone copied us! :P
> 
> Cheers,
> Stefano
> 
> Il giorno ven, 03/04/2009 alle 12.36 +0200, Matteo G.P. Flora ha
> scritto:
>> Eoin wrote:
>> > https://h30406.www3.hp.com/campaigns/2009/wwcampaign/1-5TUVE/index.php?key=swf
>> > Not sure if it is any good. Matteo &  folks @ Minded Security and
>> > thoughts on this one?
>> 
>> Am I the only paranoid bastard who see an astounding similarity between
>> the logo on the HP page and Minded Security's logo?
>> 
>> cfr:
>> [1] http://www.mindedsecurity.com/
>> [2]
>> https://h30406.www3.hp.com/campaigns/2009/wwcampaign/1-5TUVE/images/G8560009032008-landing2.jpg
>> 
>> M.
> 
> 
> Stefano Di Paola
> Chief Technology Officer, Lead Auditor ISO 27001
> Minded Security - Application Security Consulting
> 
> Email: stefano.dipaola [at] mindedsecurity.com
> 
> Minded Security S.r.l.
> Via Duca D'Aosta, n.20 50129 Firenze (FI)
> www.mindedsecurity.com
> 
> 
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20090405/364f8819/attachment.html 


More information about the Owasp-testing mailing list