[WEB SECURITY] Re: Flash Obfuscation

Brad Causey bradcausey at owasp.org
Fri Apr 30 17:04:55 EDT 2010 

My suggestion is to not use flash if the data is sensitive.
Flash is reverse-able, and any obfuscation is simply security by obscurity,
and will only make your life much harder, and the bad guys' lives a little
harder.
If you do decide to go down the obfuscation path, I'd suggest either coming
up with your own mechanism, or hiring someone to do so. Don't rely on a
tool. Just my opinion.

-Brad Causey
CISSP, MCSE, C|EH, CIFI, CGSP

http://www.owasp.org
--
"Si vis pacem, para bellum"
--


On Fri, Apr 30, 2010 at 4:00 PM, 0x4150 <0x4150 at gmail.com> wrote:

> My company had a pen test of the application and the tester reported
> that we should obfuscate the flash content. I would like to make it as
> difficult as possible for an attacker to reverse and understand the
> application logic. The application deals with sensitive data so I want
> to protect it (as much as possible). I was told there were ~3 products
> on the market which can obfuscate flash, but none seemed reputable.
>
> On Fri, Apr 30, 2010 at 6:58 AM, Brad Causey <bradcausey at owasp.org> wrote:
> > What's your goal? Maybe thatll help us help you.
> >
> > On 4/30/10, Paul Melson <pmelson at gmail.com> wrote:
> >> On Thu, Apr 29, 2010 at 2:05 AM, 0x4150 <0x4150 at gmail.com> wrote:
> >>> Has anyone done obfuscation of a flash application? If so, what
> >>> tool(s) would you recommend?
> >>
> >> I wouldn't recommend any of them as a way to actually secure anything
> >> as the end result must still be a SWF file that Flash Player can parse
> >> correctly, and therefore they can be decompiled or debugged in order
> >> to reverse the code.
> >>
> >> The only example of obfuscated ActionScript that I've seen to date has
> >> been a malware dropper. In that case it was about 20 minutes by hand
> >> to reverse. About 1 minute for Wepawet to do the same.
> >>
> >> PaulM
> >>
> >>
> >>
> >> This list is sponsored by Cenzic
> >> --------------------------------------
> >> Let Us Hack You. Before Hackers Do!
> >> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> >> Request Yours Now!
> >> http://www.cenzic.com/2009HClaunch_Securityfocus
> >> --------------------------------------
> >>
> >>
> >
> > --
> > Sent from my mobile device
> >
> > -Brad Causey
> > CISSP, MCSE, C|EH, CIFI, CGSP
> >
> > http://www.owasp.org
> > --
> > "Si vis pacem, para bellum"
> > --
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100430/84d2e568/attachment.html>

More information about the websecurity mailing list