> For the complete documentation index, see [llms.txt](https://www.hackbook.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.hackbook.io/web-application-hacking/web-techniques/click-jacking/adobe-swf-investigator.md).

# Adobe SWF Investigator

### This tool allows us to decompile and investigate SWF files that we load in.&#x20;

![](/files/-MlNL3Xjkj3TmRUznoR4)

#### The Disassembler Tab allows us to do string searches:

![This may lead us to file names that we can search in the browser. ](/files/-MlNLJ-okR9bDpiJ278j)

## XSS Fuzzer:

Under the SWF Inspector Utilities there is an XSS Fuzzer.

![](/files/-MlNM0iynDfPV63_jx9R)

To use the XSS fuzzer. First load the swf in the inspector then save the loaded swf file to local disk. From here we can Load the SWF to the **Target SWF** and input our vars to fuzz at **FlashVars**. This would be something like `name=bob&redirect=alice`.&#x20;

#### Sample setup from ELS:

![](/files/-MlNN5epvTFnxh2q05q8)

Results will be listed in the output tab. Vulns will be RED dots. In this case the redirect param is vulnerable to a javascript: context injection.

![](/files/-MlNNaVSq8ziX-3wimWU)

To verify the injection, go back to the browser and try an alert box.&#x20;

![](/files/-MlNNr5O7ihYJiYpLqs1)

## Cross-Domain Tester:

Test if the cross-domain policy file will allow loading of certain domains. This is handy if we cannot view the crossdomain.xml page. \
1\. Re-Map with default external domain first

![Re-Mapping with Defualts](/files/-MlNOCxT2QZXk2NL5uxU)

2\. Change URL to be the location of the page that calls/loads the swf file and then submit the request.

![](/files/-MlNOlMgBz6UsrU97Ab9)

3\. This failed so we can then try to load another subdomain context:

![And we see the output works](/files/-MlNPHF9xLZtEHaOT1c9)
