What to look for:

• See if params are passed to the flash player without sanitization.(XSS, HTLMi)

• Decompile the SWF and look for creds, file locations

• Look for communication channels to and from the flash player (SOAP, AMF)

• Check allowScriptAccess param

• Check the crossdomain.xml (This overrides SOP)

Vulnerable Flash Embed:

The URL param(user input) is passed to the flash window which loads the location. Any JS that is run from within this Flash window will be running in the context of index.php since this is the calling context.

Payload: By passing JS rather than a URL we can grab cookies site=javascript:alert(document.cookie);