> For the complete documentation index, see [llms.txt](https://www.hackbook.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.hackbook.io/web-application-hacking/web-techniques/flash.md).

# Flash 101

Flash is a rich content, video, animation technology for web-apps. Flash logic is written in ActionScript, which has a similar syntax to JS but is a compiled language.&#x20;

### Flash Decompilers:

* <http://www.sothink.com/product/flashdecompiler/>
* <http://www.flash-decompiler.com/>

### Flash Embeds:

Using the Object tag Flash can be embedded in HTML:

{% tabs %}
{% tab title="HTML" %}

```markup
<object type="application/x-shockwave-flash" width="700" height="450">
    <param name="movie" value="Animation.swf"/>
    <param name="allowScriptAccess" value="never"/>
    <embed src="Animation.swf" width="700" height="450"/>
</object>
```

{% endtab %}
{% endtabs %}

#### AllowScriptAccess Attributes:

* Always: The script can communicate with the HTML regardless of domain.&#x20;
* sameDomain: The SWF file must share the domain if it is to communicate with the HTML
  * **//Default setting (domain sandbox)**
* Never: The SWF file can never communicate with the HTML

#### Passing arguments to Flash files:

* Direct Ref: Standalone flash files(not embeded) can accept params in the URL and when the swf file is loaded a dummy html page is made to host it via a `&redirect=http://site.com`&#x20;
* Data atrb: When the flash file is embedded, arguments are passed in the `data` attribute within the object tag.&#x20;
* FlashArgs: For embedded flash files, a \<param> sub tag can also be used to pass args as seen:\
  `<param name="FlashArgs" value="name=Mike&redirect=http:/site.com" />`&#x20;

#### Flash Stakeholders:

* Administrative Role: The installer of Flash Player to the server. They config the security settings for all users.&#x20;
  * system32\Macromed\Flash\mms.cfg: config file read at Flash startup. Contains access restrictions and features.&#x20;
  * Global Flash Player Trust Directory: SWF files that are registered as globally-trusted, can load data from local and remote locations and interact with other swf files.&#x20;
* User Role: The user who Flash Player is running under.&#x20;
  * Has User lever Trust Directory
* Website Role: This is the webapp level enforcer of flash loading/access policies.
  * Policy file: crossdomain.xml , Typically in the web root
  * SWF files located on external domains use this policy file look up to decide if they can try to access contents. `Security.loadPolicyFile()`&#x20;
* Author Role: The developer of the SWF. This user can effect the built in interaction behavior of the animation between different domains. `Security.allowDomain(<alloweddomains>)`. This is a implicit deny.

#### Flash Connection:

* Document Server Connect
  * Loader(file loads)
  * Sound
  * URLLoader(text or bin data)
  * URLStream
* Socket Connection
  * ActionScript Socket
  * XMLSocket

#### ActionScript Call to JS:

Using the `ExrternalInterface.call()` function, AS can call JS functions:

![](/files/-MlNH9KZrVtJufb_2-Uc)

#### JavaScript Call to AS:

Using the `getFlashMovie()` function, JS can make calls to AS functions:

![](/files/-MlXpDDTHLj8Ly48MyxE)

AS, Open external SWF in embedded window:

&#x20;`navigateToURL(URLRequest, <target>)` The function can also run JS directly from it after loading the swf, such as: javascript: alert('alert');&#x20;

#### Local Shared Objects:

Are the equivalent to cookies but for flash. Have SOP-like rules and can track users. They are not exchanged over HTTP and never expire. All browsers on a system share the same flash object jar. \
Win7 Path: c:\Users\\\<user>\AppData\Roaming\Macromedia\Flash Player\\#SharedObjects\\

Create or fetch a local shared object with the following:\
`var myCookie:SharedObject = SharedObject.getLocal("information");`\
If the *information* object exists it will fetch and store it to **myCookie** other wise it will create **myCookie** and it will be empty.&#x20;


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.hackbook.io/web-application-hacking/web-techniques/flash.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.