[WEB SECURITY] Re: Flash Obfuscation

Kevin Stadmeyer leviticus at gmail.com
Sat May 1 12:00:00 EDT 2010


What are you hoping to accomplish by obfuscation? If its security, you are
barking up the wrong tree, if you just want to make it a bit more difficult
for people to lift your ideas it may be worth looking into.

That said I dont have any recommendations so sorry.

You should be treating the data from the flash client as completely
untrusted and validating everything, obfuscating the code may slow down an
attacker but it isn't going to protect anything. Obfuscation as a
security recommendation just doesn't make sense, I thought we got rid of
security through obscurity a while ago?

--Kevin

On Fri, Apr 30, 2010 at 5:00 PM, 0x4150 <0x4150 at gmail.com> wrote:

> My company had a pen test of the application and the tester reported
> that we should obfuscate the flash content. I would like to make it as
> difficult as possible for an attacker to reverse and understand the
> application logic. The application deals with sensitive data so I want
> to protect it (as much as possible). I was told there were ~3 products
> on the market which can obfuscate flash, but none seemed reputable.
>
> On Fri, Apr 30, 2010 at 6:58 AM, Brad Causey <bradcausey at owasp.org> wrote:
> > What's your goal? Maybe thatll help us help you.
> >
> > On 4/30/10, Paul Melson <pmelson at gmail.com> wrote:
> >> On Thu, Apr 29, 2010 at 2:05 AM, 0x4150 <0x4150 at gmail.com> wrote:
> >>> Has anyone done obfuscation of a flash application? If so, what
> >>> tool(s) would you recommend?
> >>
> >> I wouldn't recommend any of them as a way to actually secure anything
> >> as the end result must still be a SWF file that Flash Player can parse
> >> correctly, and therefore they can be decompiled or debugged in order
> >> to reverse the code.
> >>
> >> The only example of obfuscated ActionScript that I've seen to date has
> >> been a malware dropper. In that case it was about 20 minutes by hand
> >> to reverse. About 1 minute for Wepawet to do the same.
> >>
> >> PaulM
> >>
> >>
> >>
> >> This list is sponsored by Cenzic
> >> --------------------------------------
> >> Let Us Hack You. Before Hackers Do!
> >> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> >> Request Yours Now!
> >> http://www.cenzic.com/2009HClaunch_Securityfocus
> >> --------------------------------------
> >>
> >>
> >
> > --
> > Sent from my mobile device
> >
> > -Brad Causey
> > CISSP, MCSE, C|EH, CIFI, CGSP
> >
> > http://www.owasp.org
> > --
> > "Si vis pacem, para bellum"
> > --
> >
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100501/069d4c0c/attachment.html>


More information about the websecurity mailing list