Monday, December 10, 2007

SWF Intruder

Testing Security in Flash Movies

Today I have been reading a lot about Web Application Malware / Web Application Worm that spreads through social networking site, like Friendster and Myspace. Embed a malicious Flash SWF movie, is one of the most used technique to hack friendster account or hack myspace account as well. In the dumbest way, you could embed a malicious Flash swf movie script into your friend’s testimonial box, and make it to be redirected to a fake login page, and let them entry their login data , it’s only one of many dumb way to hijack friendster account or to hijack myspace account.
According to the condition specified above, a useful tool called SWFintruder has been developed, and known as the first tool for testing security in Flash movies. The major features of this tool are:


1. Basic predefined attack pattern
2. Highly customizable attacks
3. Highly customizable undefined variables
4. Semi automated Xss check


· Download the SWFintruder source code from GoogleCode.
· Extract the source code into the root of your web server.
· Browse to your
http://yourhost/swfintruderdir
· Download some flawed swf files, and put it on your web server too.
· Fill the “Flash Movie” with your desired flawed swf movie, and then click “Load”.
· If some XSS was found, it will be listed in the Xss area click on it to get the result on a new browser window.


The other video tutorial on SWFintruder can be downloaded here. Other previews about this application can be read on: Ngoprekweb.com , ProfessionalSecurityTesters.org , and Ajaxian.com .

No comments: