[WEB SECURITY] Re: Flash Obfuscation

jack mannino jack.a.mannino at gmail.com
Sat May 1 05:50:27 EDT 2010


Using some of the obfuscators you described, you are only marginally
increasing the difficulty and amount of time it takes to reverse and
deobfuscate a SWF.  You are making it more difficult for other developers to
read and "borrow" code, but anyone skilled can still rip it apart in a
reasonable amount of time.  This is security by obscurity, and mediocre
advice at best.

Rather than spending a lot of time focusing on obfuscating your code, focus
on ensuring that sensitive data isn't made available at the client.  If you
are directly exposing critical corporate assets, credentials, and anything
secrets you don't want to be made readily available, remove that from the
code you push to the client.  If you are exposing more functionality than
required, focus on moving that to the server and minimizing the attack
surface exposed via the SWF using a consistent and well-defined API.  Narrow
down what an attacker can achieve and learn from the SWF and enforce
appropriate restrictions server-side.  That will do a lot more to improve
your security posture than obfuscating your code.

Just my $.02

-Jack

On Fri, Apr 30, 2010 at 2:00 PM, 0x4150 <0x4150 at gmail.com> wrote:

> My company had a pen test of the application and the tester reported
> that we should obfuscate the flash content. I would like to make it as
> difficult as possible for an attacker to reverse and understand the
> application logic. The application deals with sensitive data so I want
> to protect it (as much as possible). I was told there were ~3 products
> on the market which can obfuscate flash, but none seemed reputable.
>
> On Fri, Apr 30, 2010 at 6:58 AM, Brad Causey <bradcausey at owasp.org> wrote:
> > What's your goal? Maybe thatll help us help you.
> >
> > On 4/30/10, Paul Melson <pmelson at gmail.com> wrote:
> >> On Thu, Apr 29, 2010 at 2:05 AM, 0x4150 <0x4150 at gmail.com> wrote:
> >>> Has anyone done obfuscation of a flash application? If so, what
> >>> tool(s) would you recommend?
> >>
> >> I wouldn't recommend any of them as a way to actually secure anything
> >> as the end result must still be a SWF file that Flash Player can parse
> >> correctly, and therefore they can be decompiled or debugged in order
> >> to reverse the code.
> >>
> >> The only example of obfuscated ActionScript that I've seen to date has
> >> been a malware dropper. In that case it was about 20 minutes by hand
> >> to reverse. About 1 minute for Wepawet to do the same.
> >>
> >> PaulM
> >>
> >>
> >>
> >> This list is sponsored by Cenzic
> >> --------------------------------------
> >> Let Us Hack You. Before Hackers Do!
> >> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> >> Request Yours Now!
> >> http://www.cenzic.com/2009HClaunch_Securityfocus
> >> --------------------------------------
> >>
> >>
> >
> > --
> > Sent from my mobile device
> >
> > -Brad Causey
> > CISSP, MCSE, C|EH, CIFI, CGSP
> >
> > http://www.owasp.org
> > --
> > "Si vis pacem, para bellum"
> > --
> >
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100501/458ae233/attachment.html>


More information about the websecurity mailing list