A while ago Hewlett-Packard released a tool (custom decompiler) for 'exposing Flash Application vulnerabilities'.
It might make an easy starting point for further investigation. http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/200 9/03/20/exposing-flash-application-vulnerabilities-with-swfscan.aspx C: -----Original Message----- From: flashcoders-boun...@chattyfig.figleaf.com [mailto:flashcoders-boun...@chattyfig.figleaf.com] On Behalf Of Boerner, Brian J Sent: Thursday, 3 June 2010 6:55 AM To: Flash Coders List Subject: [Flashcoders] RIA Secure Coding This one is for all the RIA developers on the list. I haven't really seen secure coding widely addressed here but was hoping someone had knowledge that could get me started. I'm leading effort to develop flash coding standards in corporate environment so there are fewer (or no) security risks and so there's a knowledge base of what to look for. I gather that this is not an exciting topic for FC but I have to do a thorough job documenting vulnerabilities, best practices, common pitfalls. I'm hoping someone here has had to wrestle with security for financial app or hotel booking... I understand that the player itself is the main concern but I don't know how it can be hacked... I don't even want to google 'hacking flash' for fear an adobe goon will hunt me down (and take my iPod touch). Any of you familiar with OWASP? I have to write a report based on these top ten vulnerabilities (link). I can see the value but it hurts my web designer brain :^) http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project _______________________________________________ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders This e-mail, including any attached files, may contain confidential and privileged information for the sole use of the intended recipient. Any review, use, distribution, or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message. _______________________________________________ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders