- About Vivit
- LUGs & SIGs
- Vivit Blogs
- News & Events
- Knowledge Base
|HPE Software Products: Web Security Research Group|
Can any body please provide me this version download link HP SwfScan 184.108.40.206
Are there any download links available for SWFSCAN?
The SWFSCAN download link on HP site seems to be broken. Where can I download another copy?
Want more from HP Discover Vienna? Get the latest updates from Backstage at Discover Vienna with daily recap videos, blogs, hot topics and more.
But when I google for it elsewhere, there seem to be PLENTY of trojaned copies available. Please protect your community and publish a safe version on your site again.
Just like the topic says, where i can download swfscan? i need it to test my flash applications, thanks to any help you can give me.
1) Though it seems user friendly, there is no user guide provided by HP.
2) How to start? or what are prerequisites to work with SWF in this tool no info available.
Please help me if anyone knows.
I've issues in this.
We have recently migrated from flex sdk 3.5 to 4.1
After this migration one of the swf files is showing up blank on decompilation because of which there is nothing for Swfscan to analyze.
What can be the possible cause of this??? Does Swf scan has some compatibiltiy issues with flex sdk 4.1???
Any help is appreciated.
I read the FAQ, it didn't help me. Can someone point us to a log file so that we can find out what needs to be done to get around this issue? Also we have the source in our hand, do we really need to decompile? Can't we just have the tool scan the source for vulnerabilities?
I discovered that the URL field in SWFScan version 1.0 is limited to 100 characters.
To work around this the user would have to separately copy the desired SWF file to the hard drive, and then scan it with SWFscan from that location. Use the yellow folder icon to the right of the URL field in order to browse the drives and locate the SWF file.
Is there any alternative?
Regards / Jonas
How do we scan flash applications protected by a login ? Does Swfscan support/have something like a login macro/script that can be used to direct the tool to scan the actual application ? I have been to the settings and do not find anything related.When I try to enter the url of the Flash applicaiton, it complains malformed flash application.(The URL, if entered in a browser redirects to a login page and once valid credentials are submitted takes us to the actual flash application.
Also are the features of SWFScan integrated to WebInspect 8.0 ?
Our Flex app uses a preloader, and when we point SwfScan at our .swf, the only class it loads is the preloader.
Is there any way to evaluate the rest of the application, or do we need to remove the preloader for that?
The original FAQ for SWFScan is in the blogs: http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2009/03/20/hp-swfscan-faq.aspx?jumpid=reg_R1002_USEN
However, that research blog will be redirecting new questions to this SWFScan user forum.
I've been trying to use SWFScan and it worked fine on my Flex 3 app, but none of my AS2-based SWFs (built using Flash 8) work. Every time I try to load them I get an error stating:
"The Flash Application was malformed: Malformed data in SWF Header"
The SWFs themselves work fine, so I'm fairly certain there aren't any problems with the files.
Overall, the tool is pretty good. But it missed a couple of issues that were detected manually during a recent assessment.
1) External XML loading (via URL in configpath) - not sure this is detectable via static anaylsis?
2) Security.allowDomain() issues - Security.allowDomain(“*”) and Security.allowInsecureDomain(“*”)
I run a project called flXHR ( http://flxhr.flensed.com ) which is a flash proxy for client side, cross-domain Ajax calls. When I tried to open my flXHR.swf file with your tool, it complains about malformed headers and not being able to open it.
However, this SWF works just fine, it's used all over the place on my site and by others. What's wrong?
I have attached the screen shots from a normal installation.
Hey there guys and gal, great tool, if you plan on making any improvements it would be awesome if you could point it at a web page/site and have it parse out all the SWF's on a page and give you an option to then scan one or more of them with a quick click.
Also the error message you get when you point SWFScan at a web site thinking this feature is already there isn't all that clear either, but hey it's a free tool right?
Anyway, cool stuff!
for some reason when i run swf scan, the "Create Vulnerability Report" menu item is always greyed out. how do i create a vuln report?