Absent Member.
Absent Member.
9568 views

how to scan a Flash app with WebInspect?

Jump to solution

how to scan a Flash app with WebInspect? Thank you.

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Micro Focus Expert
Micro Focus Expert

WebInspect automatically scans Flash, and will in fact download SWF files and scan them statically for vulnerabilities during a standard (dynamic) web site or web services (SOAP) scan.  This is enabled On by default under the Edit menu > Default Scan Settings > Content Analyzers panel > Flash (On or Off).

From the Help (F1):  "If you enable the Flash analyzer, WebInspect analyzes Flash files, Adobe's vector graphics-based resizable animation format."  If you high-light a SWF ile in the Site Tree pane, WebInspect will display it as HTML and not binary data (mentioned in the Help).  Note also that SWF files and JavaScript include files are not subject to the Requestor scan settings for "Limit maximum response size to ___".

If you Search within the included Policy Manager tool for checks with the name "flash", you will see many of the items that would show up when scanning a SWF file.

When recording a (Login) Web Macro against Flash, you may be forced to use the TruClient, Mozilla-based rendering engine.  I believe the Help guide (see "Unsupported Elements") mentions that the IE-based engine cannot handle select technologies such as Flash.

The advent of this capability was a freeware, proof-of-concept tool SPI Dynamics (pre-HP/HP) had released called SWFscan, which can still be found within WebInspect's Tools menu.  Once we sorted out the capability, it was added to the standard scan and so the tool is hardly ever used now.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify

View solution in original post

0 Likes
2 Replies
Micro Focus Expert
Micro Focus Expert

WebInspect automatically scans Flash, and will in fact download SWF files and scan them statically for vulnerabilities during a standard (dynamic) web site or web services (SOAP) scan.  This is enabled On by default under the Edit menu > Default Scan Settings > Content Analyzers panel > Flash (On or Off).

From the Help (F1):  "If you enable the Flash analyzer, WebInspect analyzes Flash files, Adobe's vector graphics-based resizable animation format."  If you high-light a SWF ile in the Site Tree pane, WebInspect will display it as HTML and not binary data (mentioned in the Help).  Note also that SWF files and JavaScript include files are not subject to the Requestor scan settings for "Limit maximum response size to ___".

If you Search within the included Policy Manager tool for checks with the name "flash", you will see many of the items that would show up when scanning a SWF file.

When recording a (Login) Web Macro against Flash, you may be forced to use the TruClient, Mozilla-based rendering engine.  I believe the Help guide (see "Unsupported Elements") mentions that the IE-based engine cannot handle select technologies such as Flash.

The advent of this capability was a freeware, proof-of-concept tool SPI Dynamics (pre-HP/HP) had released called SWFscan, which can still be found within WebInspect's Tools menu.  Once we sorted out the capability, it was added to the standard scan and so the tool is hardly ever used now.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify

View solution in original post

0 Likes
Absent Member.
Absent Member.

Thank you Hans. You are always helpful.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.