What tools are there to inspect Flash SWF files?

Question

I am performing a penetration test against a website that uses Flash heavily.
What tools can I use to examine the SWF file for vulnerabilities?

From the Area51 proposal.

score 9 · Accepted Answer · 2010-11-16T10:15:09.250

9

From what I have been using: here http://www.swftools.org/ is a set of tools for work with SWF files, can be used for data structure analysis. Another one is a tool from HP specifically for scanning vulnerabilities in Flash: http://www.hp.com/go/swfscan (requires registration).

Tools that I have not used: Flare: http://www.nowrap.de/flare.html - there are also links to other tools, and Swfmill http://swfmill.org/ - tool to convert SWF to XML.

edited Nov 16 '10 at 10:15

answered Nov 16 '10 at 10:09

Neighbor has topic about Flash/SWF decompilers: http://questions.securitytube.net/questions/1687/best-flash-swf-decompiler – Nov 16 '10 at 16:05

score 8 · Answer 2 · answered Nov 16 '10 at 14:42

8

SWFScan for any
Nemo 440 for AS3, Flex, AIR
Flare for AS2 (Flasm for disassmebly). These aren't as useful anymore
There is an IDA Pro plugin for Flash disassembly written by some guy from Microsoft

Also see osflash.org and flashsec.org

answered Nov 16 '10 at 14:42

atdre

18,885
6
58
107

score 5 · Answer 3 · answered Dec 11 '10 at 22:16

5

Another good tool that I have used successfully in the past is OWASP's SWF Intruder.

answered Dec 11 '10 at 22:16

AviD

72,138
22
136
218

Vishwanath Dalvi · Answer 4 · 2011-03-06T17:17:46.483

4

You can try SWF Decompiler to convert SWF to FLA for getting any information that might you wouldn't get from FLA Movies for penetration testing

http://www.sothink.com/product/flashdecompiler/

edited Mar 06 '11 at 17:17

answered Feb 20 '11 at 18:24

Vishwanath Dalvi

618
3
9

What tools are there to inspect Flash SWF files?

4 Answers4

Linked