March 23, 2009, 2:50 PM — Hewlett-Packard has released a free development tool that finds vulnerabilities in Flash, Adobe System's widely used but occasionally buggy interactive Web technology.
The tool, SWFScan, is designed for developers without security backgrounds, the company said on one of its blogs. It was built by HP's Web Security Research Group.
HP said SWFScan joins other tools that can spot problems with Flash, such as Flare and SWFIntruder. But HP said SWFScan is the only one that can be used with Flash versions 9 and 10; ActionScript 3, Flash's scripting language; and Flex, an open-source Web application framework used by Adobe.
SWFScan will decompile ActionScript 2 and 3 into original source code and perform static analysis, looking for more than 60 vulnerabilities including data leakage, cross-site scripting vulnerabilities and cross-domain privilege escalation, HP said.
The tool highlights troublesome lines in source code and will also provide remediation advice. It will format a vulnerability report, as well as allow the export of source code for work in other tools, HP said.
HP said it tested SWFScan on some 4,000 Flash applications and found that 35 percent violated Adobe's best security practices. Sixteen percent of applications for Flash player 8 and earlier contained cross-site scripting vulnerabilities. Fifteen percent of those applications with login forms had user names or passwords hard coded into the application, HP said.
HP cautioned that the tool only looks at the part of a Flash application that runs in a browser and not those parts running on a server.
