Mostrando las entradas con la etiqueta HP. Mostrar todas las entradas
Mostrando las entradas con la etiqueta HP. Mostrar todas las entradas

29 de junio de 2009

Flex Decompiler

Esto es de mi otro blog que no actulizo pero lo voy a poner aquí que va mejor con Flex

HP lanzó una aplicación llamada SWFScan, ésta aplicación permite encontrar vulnerabilidades en los archivos .swf creados con Flash, Flex o cualquier otro programa cuya salida corra en la plataforma de Adobe Flash Player.

HP SWFScan is a free Windows-based security tool to help developers
find and fix security vulnerabilities in applications developed with the Adobe
Flash Platform. The tool is the first of its kind to decompile applications
developed with the Flash platform and perform static analysis to understand
their behaviors. This helps developers without security backgrounds identify
vulnerabilities hidden within the application which cannot be detected with
dynamic analysis methods.


(I've tested this app, and it's really good.. it gets all your code and checks if there are errors, or possible vulnerabilities )

Most of the time it gets you trace statements you left in your code.. here's a sample code from my preloader code...

private function onRSLDownloadProgress(findBundle:flash.events::ProgressEvent)
{
// debugfile: \TrunkWorkspace\DashboardRefactored\src;com\thinkglish\preloader;SWFPreloader.as
this.isRslDownloading = true;
this.rslBytesTotal = findBundle.bytesTotal;
this.rslBytesLoaded = findBundle.bytesLoaded;
this.rslPercent = Math.round(this.rslBytesLoaded / this.rslBytesTotal * 100);
trace("onRSLDownloadProgress: rslBytesLoaded " + this.rslBytesLoaded);
trace("onRSLDownloadProgress: rslBytesTotal " + this.rslBytesTotal);
trace("onRSLDownloadProgress: " + this.rslPercent + "%");

return;

}



and here's what SWFScan tells me what to do

Summary
An indication that the trace() function is being utilized was detected due to the presence of debug messaging.This can represent a serious security concern as path names and other information can be revealed. Recommendations include removing all debugging messaging from the application code before it is placed on production servers.

Fix

Set 'Omit Trace Actions' to 'true'. The Omit Trace Actions flag in Flash development environments tells the compiler to remove any trace commands when creating the compiled SWF file. This will make the published SWF smaller and it will remove any excess information or actions from the SWF.
References

Adobe:
Creating more secure SWF web applications

OWASP:
OWASP Flash Security Project




For more information...
http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2009/03/20/exposing-flash-application-vulnerabilities-with-swfscan.aspx