|

Web App Security

SWF assesment

View: New views

6 Messages — Rating Filter: Alert me

	SWF assesment by Serg B :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi all Does anyone know of a tool that would allow me to query/execute arbitrary methods within a currently loaded flash app? E.g. Go to a web page, server serves a SWF file, SWF file is loaded and does whatever... I would like to be able to invoke individual methods and properties inside the SWF file, while it's loaded in the web browser. Thanks Serg
	Re: SWF assesment by jfvanmeter :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message swfscan might do what your looking for, I have to say that I've not used the tool alot. http://www.cgisecurity.com/2009/03/swfscan-free-flash-security-tool.html ----- Original Message ----- From: "Serg B" <sergeslists@...> To: webappsec@... Sent: Thursday, September 3, 2009 1:46:08 AM GMT -05:00 US/Canada Eastern Subject: SWF assesment Hi all Does anyone know of a tool that would allow me to query/execute arbitrary methods within a currently loaded flash app? E.g. Go to a web page, server serves a SWF file, SWF file is loaded and does whatever... I would like to be able to invoke individual methods and properties inside the SWF file, while it's loaded in the web browser. Thanks Serg
	Re: SWF assesment by Leonardo Cavallari Militelli-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I'm not aware of that but one thing you shloud try is decompiling it and load into adobe flash cs3/4 in order to debug it. Then you can understand actions and manipulate their values from requests using a proxy. Hope that helps. - Leo Cavallari 2009/9/3, Serg B <sergeslists@...>: > Hi all > > Does anyone know of a tool that would allow me to query/execute > arbitrary methods within a currently loaded flash app? > > E.g. > > Go to a web page, server serves a SWF file, SWF file is loaded and > does whatever... I would like to be able to invoke individual methods > and properties inside the SWF file, while it's loaded in the web > browser. > > > > Thanks > Serg > > > -- Enviado do meu celular
	Re: SWF assesment by Saeed Abu Nimeh-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Flare does what you are after but not in a web browser. http://www.nowrap.de/flare.html Serg B wrote: > Hi all > > Does anyone know of a tool that would allow me to query/execute > arbitrary methods within a currently loaded flash app? > > E.g. > > Go to a web page, server serves a SWF file, SWF file is loaded and > does whatever... I would like to be able to invoke individual methods > and properties inside the SWF file, while it's loaded in the web > browser. > > > > Thanks > Serg > > >
	Re: SWF assesment by Serg B :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message No, flare is AS2 decompiler, as far as I know. I need something that can invoke methods in memory (something like this: http://www.adaptj.com/main/stacktrace, but for flash, preferably with support for AS3) On Fri, Sep 4, 2009 at 1:01 PM, Saeed Abu Nimeh<sabunime@...> wrote: > Flare does what you are after but not in a web browser. > http://www.nowrap.de/flare.html > > Serg B wrote: >> >> Hi all >> >> Does anyone know of a tool that would allow me to query/execute >> arbitrary methods within a currently loaded flash app? >> >> E.g. >> >> Go to a web page, server serves a SWF file, SWF file is loaded and >> does whatever... I would like to be able to invoke individual methods >> and properties inside the SWF file, while it's loaded in the web >> browser. >> >> >> >> Thanks >> Serg >> >> >> >
	RE: SWF assesment by Paul Theriault-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Pretty sure SWFScan will not do that. SWFScan is a SWF decompiler (one of the few that handles AS3), and static code analysis tool. As someone previously suggested though, you can decompile, copy and paste the functions you are interested in into your own new file, and then go nuts. Obviously depends on how complex the app is etc. As for your request, I don't know of such a tool(if it does I would also be very interested in it). You might want to look at the various debuggers that are available for flash. Never seen such a function but that isn't to say it doesn't exist. The flashsec wiki has an excellent list of flash related software: https://www.flashsec.org/wiki/Software Also Burp Pro now supports proxying AMF if your app happens to use that: http://releases.portswigger.net/2009/08/v1214.html Finally, you might want to ask on flashcoders: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Good Luck! -----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of jfvanmeter@... Sent: Thursday, 3 September 2009 8:54 PM To: Serg B Cc: webappsec@... Subject: Re: SWF assesment swfscan might do what your looking for, I have to say that I've not used the tool alot. http://www.cgisecurity.com/2009/03/swfscan-free-flash-security-tool.html ----- Original Message ----- From: "Serg B" <sergeslists@...> To: webappsec@... Sent: Thursday, September 3, 2009 1:46:08 AM GMT -05:00 US/Canada Eastern Subject: SWF assesment Hi all Does anyone know of a tool that would allow me to query/execute arbitrary methods within a currently loaded flash app? E.g. Go to a web page, server serves a SWF file, SWF file is loaded and does whatever... I would like to be able to invoke individual methods and properties inside the SWF file, while it's loaded in the web browser. Thanks Serg -- Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering. http://www.mailguard.com.au/mg Click here to report this message as spam: https://login.mailguard.com.au/report/1ydNaVhMIB/6HkHcFZebOEvJ6R46wKf3o/0