Hacking Flash Applications for Fun and Profit (Blackhat)

In this Blackhat 2009 talk titled "Blinded by Flash: Widespread Security Risks Flash Developers Don't See" Prajakta Jagdale describes the attack surface flash applications have based on various things developers overlook. In this presentation she talks about the basic cross domain security model between flash applets, Cross Site Scripting attacks on Flash applications, Data injection attacks, Flash malware, decompilation of Flash swf files, code and binary obfuscation and many other attack vectors which a malicious attacker could use to hack Flash applications. The talk also saw the release of the SWFScan tool which is a decompiler for Flash applications. Additionally, it can also run various code vulnerability assessments using static analysis on the decompiled flash swf code.

A high resolution video of the talk is available for download here. The presentation for the talk is available here.

Vivek Ramachandran is a security evangelist and has been working in computer security related fields for the past 7 years. In 2007, Vivek spoke at world renowned conferences Defcon (WEP Cloaking Exposed) and Toorcon (The Caffe Latte Attack). The discovery of the Caffe Latte Attack was covered by CBS5 news, BBC online, Network World etc news agencies.In 2006, Vivek was announced as one of winners of the Microsoft Security Shootout contest held in India among 65,000 participants. He has also been a recipient of a Team Achievement at Cisco Systems for his work on 802.1x and Port Security modules on the Catalyst 6500 switches. Currently he spends all of his time maintaining Security- Freak.Net , SecurityTube.Net and is the co-founder of Axonize. Vivek, is a Bachelor in Electronics and Communications Engineering from the prestigious Indian Institute of Technology, Guwahati.You can contact him at vivek[at]securitytube.net