This tool allows us to decompile and investigate SWF files that we load in.

The Disassembler Tab allows us to do string searches:

XSS Fuzzer:

Under the SWF Inspector Utilities there is an XSS Fuzzer.

To use the XSS fuzzer. First load the swf in the inspector then save the loaded swf file to local disk. From here we can Load the SWF to the Target SWF and input our vars to fuzz at FlashVars. This would be something like name=bob&redirect=alice.

Sample setup from ELS:

Results will be listed in the output tab. Vulns will be RED dots. In this case the redirect param is vulnerable to a javascript: context injection.

To verify the injection, go back to the browser and try an alert box.

Cross-Domain Tester:

Test if the cross-domain policy file will allow loading of certain domains. This is handy if we cannot view the crossdomain.xml page. 1. Re-Map with default external domain first

2. Change URL to be the location of the page that calls/loads the swf file and then submit the request.

3. This failed so we can then try to load another subdomain context: