Adobe Flash can be a roadblock and source of frustration for web application penetration testers. Implementation details in the Flash debugger make it difficult to debug the ActionScript code within a release-build SWF file. In this talk, I give a general overview of the process of debugging ActionScript in Flash and AIR SWF files. I then introduce a tool I have written to inject synthetic file and line-number information into release SWF files, converting them into debuggable ones and allowing them to be dynamically analyzed using standard tools.
Jacob Thompson is a Senior Security Analyst for Independent Security Evaluators, where he specializes in high-end, custom security assessments of computer hardware and software products. With 10+ years' experience, a propensity toward hands-on security assessment, and proficiencies in reverse engineering, DRM systems, cryptography, system and application security, and secure system design. Through his 3 years' work with ISE, Mr. Thompson has partaken in multiple major vulnerabilities and assessments, customer visits, and progress presentations. He has presented his research at DEFCON 21, BSides DC 2013 & 2014, DERBYCON 4.0, and ToorCon 2014.
If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.
Copyright 2020, IronGeek