Last week we discussed how to capture the information between the flash application and the server. This will help us to analyse the end-points in the application and determine the parameters we will be testing. Today we are going to go to the source code looking for those parameters…
First of all we need a decompiler, flasm. It decompile the flash files into some kind of ASM (named SWF bytecode) and we can modify and analyze the actions the application is performing under the hood. Download it and decompress anywhere in your machine.
The zip file contains two files, the .fla which has the original source code and the .swf, that has the compiled code and the one we are going to analyze.
To extract the SWF code we have to execute the flasm app with the –d parameter. This will output to the stdout the bytecode so we need to redirect it into a file:
flasm.exe -d simple_login.swf > simple_login.txt
Opening it with a text editor will reveal a very simple code that can be easily understand:
So, we have a variable password and we compare it against the string 5pieces. If the comparison is true, we are in, if not, we have to guess again.
As you can understand, writing the clear text password in the flash file is a really bad practice but some people do it. Also with this technique we can read the URLs inside the file and discover what requests is going to do the flash application.
Next post, flash cookies!