My company had a pen test of the application and the tester reported
that we should obfuscate the flash content. I would like to make it as
difficult as possible for an attacker to reverse and understand the
application logic. The application deals with sensitive data so I want
to protect it (as much as possible). I was told there were ~3 products
on the market which can obfuscate flash, but none seemed reputable.
On Fri, Apr 30, 2010 at 6:58 AM, Brad Causey <bradcausey (at) owasp (dot) org [email concealed]> wrote:
> What's your goal? Maybe thatll help us help you.
>
> On 4/30/10, Paul Melson <pmelson (at) gmail (dot) com [email concealed]> wrote:
>> On Thu, Apr 29, 2010 at 2:05 AM, 0x4150 <0x4150 (at) gmail (dot) com [email concealed]> wrote:
>>> Has anyone done obfuscation of a flash application? If so, what
>>> tool(s) would you recommend?
>>
>> I wouldn't recommend any of them as a way to actually secure anything
>> as the end result must still be a SWF file that Flash Player can parse
>> correctly, and therefore they can be decompiled or debugged in order
>> to reverse the code.
>>
>> The only example of obfuscated ActionScript that I've seen to date has
>> been a malware dropper. In that case it was about 20 minutes by hand
>> to reverse. About 1 minute for Wepawet to do the same.
>>
>> PaulM
>>
>>
>>
>> This list is sponsored by Cenzic
>> --------------------------------------
>> Let Us Hack You. Before Hackers Do!
>> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>> Request Yours Now!
>> http://www.cenzic.com/2009HClaunch_Securityfocus
>> --------------------------------------
>>
>>
>
> --
> Sent from my mobile device
>
> -Brad Causey
> CISSP, MCSE, C|EH, CIFI, CGSP
>
> http://www.owasp.org
> --
> "Si vis pacem, para bellum"
> --
>
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
that we should obfuscate the flash content. I would like to make it as
difficult as possible for an attacker to reverse and understand the
application logic. The application deals with sensitive data so I want
to protect it (as much as possible). I was told there were ~3 products
on the market which can obfuscate flash, but none seemed reputable.
On Fri, Apr 30, 2010 at 6:58 AM, Brad Causey <bradcausey (at) owasp (dot) org [email concealed]> wrote:
> What's your goal? Maybe thatll help us help you.
>
> On 4/30/10, Paul Melson <pmelson (at) gmail (dot) com [email concealed]> wrote:
>> On Thu, Apr 29, 2010 at 2:05 AM, 0x4150 <0x4150 (at) gmail (dot) com [email concealed]> wrote:
>>> Has anyone done obfuscation of a flash application? If so, what
>>> tool(s) would you recommend?
>>
>> I wouldn't recommend any of them as a way to actually secure anything
>> as the end result must still be a SWF file that Flash Player can parse
>> correctly, and therefore they can be decompiled or debugged in order
>> to reverse the code.
>>
>> The only example of obfuscated ActionScript that I've seen to date has
>> been a malware dropper. In that case it was about 20 minutes by hand
>> to reverse. About 1 minute for Wepawet to do the same.
>>
>> PaulM
>>
>>
>>
>> This list is sponsored by Cenzic
>> --------------------------------------
>> Let Us Hack You. Before Hackers Do!
>> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>> Request Yours Now!
>> http://www.cenzic.com/2009HClaunch_Securityfocus
>> --------------------------------------
>>
>>
>
> --
> Sent from my mobile device
>
> -Brad Causey
> CISSP, MCSE, C|EH, CIFI, CGSP
>
> http://www.owasp.org
> --
> "Si vis pacem, para bellum"
> --
>
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
[ reply ]