The_Flash

Smashing Flash Applications

December 1 / 2015

Episode. 0X00
When we perform penetration testing against web applications, Flash embedded objects are in our scope. Even the stakeholder did not refer it in details, it is an interesting target. More importantly, if the business logic depends on Flash object, the whole target could be defeated.

If I have enough time, I will be back, and describe what I have done when dealing with juicy flash object. Well, sometimes it could be difficult if the luck is not on your side.

Favourite tools

sothink swf decompiler — reverse engineering its objects and action script
CheatEngine — good for cheating especially on games
any hex editors : 010 Hex editor— is ok, but not free. HxD is not bad
Project SIKULI — Visual technology by MIT, easy to use, very cool ideas, and great for automation. You could write an easy BOT with this tool.
Adobe Flash Investigator — A swiss army knife for smashing swf object released by Adobe. This only tool could somehow substitute all above tools I referred to.
Flash Exploitation Database — by Jason Calvert of WhiteHat Security Inc.
Assessing, testing and validating Flash content in OWASP AppSec 2010

See you, then!

Intrusion Discovery on Linux

SANS institute introduced intrusion discovery cheat sheet for system administrators. The cheat sheet suggests often used commands to find any…

CSRF Redirector

Yes, this is Cross-Site Request Forgery Redirector. If you are a fan of PHP, I am quite certain that you…

Smashing Flash Applications

Episode. 0X00 When we perform penetration testing against web applications, Flash embedded objects are in our scope. Even the stakeholder…

Intrusion Discovery on Linux

SANS institute introduced intrusion discovery cheat sheet for system administrators. The cheat sheet suggests often used commands to find any…

CSRF Redirector

Yes, this is Cross-Site Request Forgery Redirector. If you are a fan of PHP, I am quite certain that you…

Smashing Flash Applications

Episode. 0X00 When we perform penetration testing against web applications, Flash embedded objects are in our scope. Even the stakeholder…

Intrusion Discovery on Linux

SANS institute introduced intrusion discovery cheat sheet for system administrators. The cheat sheet suggests often used commands to find any…

CSRF Redirector

Yes, this is Cross-Site Request Forgery Redirector. If you are a fan of PHP, I am quite certain that you…

Smashing Flash Applications

Episode. 0X00 When we perform penetration testing against web applications, Flash embedded objects are in our scope. Even the stakeholder…