A free Flash security tool, being released today, is designed to find and identify vulnerabilities in the source code and could speed up detection and ease the headaches caused by more manual scanning tools.
Hewlett-Packard Co. worked closely with Adobe Systems Inc. to develop SWFScan, a tool that scans all versions of Adobe Flash, decompiles the program and highlights the source code to identify between 60 and 65 vulnerabilities, said Billy Hoffman, manager of HP's Web Security Research Group.
"The tool goes in and highlights the source code that is causing the vulnerability," Hoffman said. "So we're actually highlighting it, saying, 'this line here is where you made a call to allow an insecure domain function, anybody can access it; this is a vulnerability.'"
Secure software development:
McGraw on secure software development: In this video, Gary McGraw of Cigital Inc. explains why
better secure coding could help thwart future Web 2.0 attacks. He says the industry is making
New York drafts language demanding secure code: State will demand software makers certify their software does not contain the coding errors listed in the CWE/SANS Top 25 Dangerous Programming Errors.
Security experts identify 25 dangerous coding errors: A new list of common programming errors could give non-experts the ability to demand higher coding standards.
Adobe Flash has become ubiquitous on the Web, being used to show moving graphics, videos or animation on Web pages. But attackers have targeted flaws in the coding as a stepping stone to gain access to the servers behind the websites. Although there have been free tools offered in the past that will decompile some versions of Flash, SWFScan works on all versions of Flash, old and new, Hoffman said. SWFScan is also developer-friendly. Similar tools, such as the SWFIntruder, are more manual and require a Mozilla Firefox plug-in. The SWFScan is a true standalone tool, he said.
"We are analyzing [the source code] to find vulnerabilities, so [the tool] actually goes through the code and looks at what variables are being used in what functions, this is one of the differentiating factors," Hoffman said.
Prajakta Jagdale, a senior security research engineer who developed SWFScan, said static analysis is another component of the tool that sets it apart from other free scanners. Jagdale spoke briefly about the tool's release last month during a presentation at the Black Hat DC conference in Arlington, Va.
When you utilize SWF applications within your website or have banner advertisements on your website, you can't just assume they are secure, Jagdale said. With SWFScan, an individual can double check for any vulnerabilities.
Jagdale said the remediation report that follows the vulnerability detection states what the vulnerability is, the type of exploit that can take advantage of it, and how to fix the problem. The tool does not fix any of these errors, but gives the user the guidance to fix them, she said.
"The key is the advice we're giving is Adobe's best security practices," Jagdale said. "Adobe's advice is really embedded in the tool concerning remediation."
On average the tool scans and highlights the source code in less than a minute, Jagdale said.
Hoffman said the tool does not look for vulnerabilities inside the Flash plug-in itself.
"We're not analyzing the player, we're analyzing the program," he said. "We're not looking at everything on the server; we're not testing those end points of the server for SQL injection. We're pretty much only looking at Flash applications that run inside the browser."
Cross-site scripting, cross-domain privilege escalation and user input that is not validated are examples of security vulnerabilities that could be targeted by malicious hackers, resulting from errors in the source code -- errors the tool can detect, Hoffman said.
"I would suggest to use [the tool] whenever you've made significant changes to your application," Hoffman said. "Every time there's an update to the code, even if there's only supposed to be a minor update. It runs so quickly, you might as well use it."
The SWFScan is targeted at developers, but is also for those who conduct code reviews such as members of a security department within an organization and third-party consultants, Hoffman said.
"The real problem is that developers know about security practices and are aware of the documents that explain how to fix problems, but they often don't do it, or only think they've done it and think they're secure [when they really are not]," Hoffman said. "The SWFScan provides a check and balance."