Protect Your Assets
Showing results for 
Search instead for 
Do you mean 


pjagdale ‎03-20-2009 10:38 PM - edited ‎09-29-2015 09:51 AM

What is HP SWFScan?


HP SWFScan is a free (as in beer)
Flash security tool. The tool decompiles and audits applications written for
the Flash platform.




How do you pronounce HP SWFScan?


HP “SwiffScan”




Who developed this ing awesome
security tool called HP SWFScan?


SWFScan was developed by the smart guys and gals of HP's Web Security Research Group.



I have questions, feedback or comments. Who do I sent that


Please report any feedback,
comments and feature requests to the forum at



Which versions of Flash will HP SWFScan


All public versions of Flash as of this writing. In other words, up to and including Flash 10, though as long as SWF uses ActionScript 2 or ActionScript 3 SWFScan should continue to work.



How do I scan my Flash application?


Point it at a URL to a SWF file or
browse to a SWF file on a box and click on the “Get” button.




Can I load Flash applications from the


Yes. Specify the URL of the SWF
file to be scanned and click ‘Get’.




Why doesn’t a link to a webpage decompile
the Flash applications on it?


There are lots of ways to include Flash objects in a webpage. Different tags, different parameters, even using JavaScript. HP SWFScan does not try and auto-magically
identify embedded SWF files in the HTML. You must do this manually. Sorry.




How does HP SWFScan find vulnerabilities?


HP SWFScan uses Static Analysis to
detect vulnerabilities.




What is Static Analysis?


Magic that was gifted to us by unicorns! Ok, so we didn't get it from unicorns, but really, read Static Analysis on Wikipedia and you'll agree about the magic thing.




Is there a way to report on the
vulnerabilities HP SWFScan finds?


Yes. Click on “Create
Vulnerability Report” under the “File” menu. Specify the name of the HTML file in
the “Save File” dialog box and click “Save”.




How do I verify the vulnerabilities HP
SWFScan finds?


When the analysis is complete, HP
SWFScan will highlight the source code that is causing the issue. Manual
verification will be required by the user.




Why do some of the vulnerabilities not have
any highlighted source associated with it?


In addition to finding
vulnerabilities associated with the ActionScript code, HP SWFScan also audits
the SWF tags in the Flash application. Improper use of SWF tags can also result
in violation of Adobe’s Security Best Practices. Such tags do not have any
ActionScript code associated with them. Therefore, these issues are reported at
the top of the decompiled source tree and do not have any ActionScript source




How should I fix the vulnerabilities HP
SWFScan finds?


Every issue reported by HP SWFScan
is associated with a vulnerability report that explains the cause of the issue;
the report also provides the necessary fix suggestions and supplies a list of
additional references to learn more about the detected issue. Also you can read Adobe excellent security recommendations.




How long does it take to decompile?


Depending on the size of the Flash
application being decompiled, it may take anywhere from 5 to 30 seconds.




How long does it take to audit the


Depending on the size of the Flash
application being scanned, HP SWFScan may take from 10-40 seconds to audit the




How much caffeine was really consumed while
developing HP SWFScan?


Approximately 439.6 kilograms of
caffeine were consumed.




How can I save the decompiled source?


Click on the File -> Export
Source Code. In the dialog box, specify the name of the file to save the
decompiled code to and click “Save”.




Where are the Flash system libraries?


HP SWFScan by default does not
decompile or audit the Flash system libraries in order to optimize decompilation
and audit time.




What are exclusions?


When compiled, the ActionScript 2
and ActionScript 3 system libraries are included in the final SWF. When
decompiling, HP SWFScan excludes the system libraries from the decompile
process. However, HP SWFScan allows the user to turn off these exclusions and
add custom exclusions. this is helpful when you wnat to exclude other, 3rd party component libraries.




How do I add exclusions?


HP SWFScan excludes packages based
on their names. To exclude a particular package, users can specify a regular expression
that matches the package name to be excluded. To specify custom exclusions,
under the Settings tab, click on “AS2 Exclusions” or “AS3 Exclusions” depending
on the version of the Flash application being decompiled.




Can I use a proxy?


Yes, you can. To specify a web
proxy, look for the Proxy tab under Settings. Only simple web proxies are




I want to search for a specific string, how
do I do that?


HP SWFScan provides a search
feature that can be accessed by clicking on the “Search” button on the main
window. The user can choose to either search the entire code or only specific
blocks of code by choosing one of the options on the left bottom corner of the
search window.




What is this “checks” thing in the Settings


“Checks” represent the
vulnerabilities that HP SWFScan looks for during the audit. Users are allowed
to choose the “Checks” that they want to run against their applications. To do
this, look for Checks under the Settings tab and select the desired ones.




Why does the decompiled source say “//Failed
to decompile source”?


Handcrafted SWF files generally
contain control structures that cannot be correctly represented using the
ActionScript language. Blocks of code with these odd structure cannot be successfully decompiled by HP
SWFScan. However we can often decompile other parts of the SWF file. Users will be notified of such a failure by inserting the “//Failed to
decompile source” comment.




Which versions of ActionScript will HP
SWFScan support?


HP SWFScan supports ActionScript 2 and ActionScript 3.


What about ActionScript 1?


It kinda doesn't exist. Its weird. We don't understand.




Does HP SWFScan validate the vulnerabilities
it finds?


No. SWFScan is a purely static
analysis tool and does not perform any dynamics analysis to validate the
detected vulnerabilities.




How did you collect your statistics about
vulnerable Flash applications?


We collected over 5000 SWFs by searching Google using the search query
"filetype:swf" plus some random generic keywords. Of those we tested 3954. Of those 3954 Flash
applications we tested, 551 are ActionScript 3 (Flash version 9 or 10) and
3403 are Action Script 2 (Flash 8 and below).




XSS Number:


Only ActionScript 2 can contain
FlashVar-based XSS vulnerabilities. Of the 3403 AS2 Flash apps, only 633 had
code that could be XSS-able (specifically function calls to things like getUrl
with user supplied input as parameters). Of the 633, We found that 99 contains
XSS vulnerabilities. We manually confirmed these issues.




Debugging Number:


426 of the 551 Flash applications
version 9 or 10 made calls to trace() debugging function or contained debugfile
and debugline opcodes. We excluded all the standard Adobe functions and looked
only at user created code to ensure that only user supplied debugging data was


Best Practices Number:

1381 of the 3954 Flash applications contained at least one of the following issues defined in Adobe's Creating more secure SWF web applications:

  •  Contained XSS
  • Contained debugging information
  • Stage was too small
  • Insecure Cross-domain permissions
  • Obsolete/insecure protection mechanisms like PROTECT, ENABLEDEBUGGER, etc



Will HP SWFScan audit the server scripts
used by the Flash application?

No. HP SWFScan only audits the
client side code of the Flash applications.


Where can I learn more about Flash security?


A few resources that will help
users to learn about Flash security are:

0 Kudos
About the Author


on ‎03-23-2009 09:44 AM

Pingback from  HP ofrece una herramienta de seguridad para los desarrolladores de Flash «

on ‎03-23-2009 09:48 AM

Pingback from  Kostenloses Tool für Flash Developer auf  POWERFLASHER Blog

on ‎03-23-2009 04:45 PM

Pingback from  HP SWFScan - HP releases FREE Flash Security Tool | The 'Nick Generation' World

on ‎03-23-2009 10:35 PM

hey, thanks for the info

on ‎03-24-2009 01:06 AM

Pingback from  .:: Blog - Massimo Rabbi ::.  » SWFScan: security tool gratuito da HP per gli sviluppatori Flash

on ‎03-24-2009 06:58 AM

I recently came across your blog and have been reading along. I thought I would leave my first comment. I don't know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.


on ‎03-24-2009 11:59 PM

Very good, but how about a command line scan tool, suitable for running on Linux, that can be scripted to scan directories with thousands of SWFs?

on ‎03-25-2009 03:54 AM

I recently came across your blog and have been reading along. I thought I would leave my first comment. I don't know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.


on ‎03-25-2009 03:55 AM

I recently came across your blog and have been reading along. I thought I would leave my first comment. I don't know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.


on ‎03-25-2009 08:33 AM

Pingback from  1 in 3 Flash Web Applications Violates Security Best Practices | IndicThreads

on ‎03-26-2009 05:59 PM

Pingback from  ??????????????????????????? ??? ????????????

on ‎04-02-2009 02:48 PM

Pingback from  Seguindo os padr??es de seguran??a da Adobe | Andr?? Carib??

on ‎04-21-2009 03:41 AM

We are trying to load a flash URL (http://...../.../xyz.swf) - The tool is giving an error "Decompile Failed" message. Any help will be greatly appreciated.

on ‎04-29-2009 05:15 AM


on ‎04-29-2009 05:16 AM

what is this..

27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all