Borre Wessel – Flex in the enterprise

SWFScan first impression

24.03.09

Filed Under: Flash, Flex, Security

I got some time today to try SWFScan, and from what it claims to offer it looks promising, but does it live up to it?

The install works seamlessly, and you are up and running in minutes. You can load a file locally from disk or via an url.

After the .swf file is loaded, and decompiled, you can navigate the complete package structure, and all the classes within a package. It is also possible to view the source for single classes. Quite interesting that HP has made it so easy to have a look at your own and other companies applications

The most interesting feature, and the whole point of SWFScan is analyzing the source to find security issues, and it lists the possible vulnerabilities in your application. A job it seems to do relatively well, considering that I have only used it for a short while and not tested it with code that i know has security issues, it works well. I managed to test it on a large application I’m working on, plus a few modules we are using, and performance for the decompile and the analysis was very good.
It is very eager on reporting issues where it is doing string comparisons, and it’s makes it feel a bit noisy, at least if your application is large, and you use words like “security”, “uid” in your methods or variables. But i would rather see them too often, then not picking up on potential issues. It also reports issues like trace() which you don’t really want in your production code.

After having tested it on both Flash and Flex applications, I would say it works as expected. So far I have “only” found one big showstopper, we have a preloader in one of our Flex applications, and SWFScan is not able to decompile the classes in the whole application, only the ones used by the preloader.

SWFScan also highlights a broader issue with Flex/Flash applications, in the past decompilers haven’t really been as available as it is now, and looking at the code it produces it should give most developers a small wake-up call. It gives other people a good insight to how you code, how it is designed and also what services you are using.

This is absolutely a tool every Flex/Flash developer should have in their toolkit.

Leave a Reply

Name (required)

Mail (will not be published) (required)

Website

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to comments feed (this is global, not just for this entry)

Borre Wessel – Flex in the enterprise, all content & imagery © 2007. Proudly powered by Wordpress.
Theme designed and built by Richard Dunlop-Walters, optimized by Adam Carmody.