Some Flash movies are not scanned

Flash execution is enabled, but AppScan fails to load certain Flash movies during the scan.

Cause

There is a difference in the initialization sequence that Adobe Flash Player uses when executing a Flash movie versus that of a embedded Flash SWF file in a Flash movie.

Behavior 1: Flash movie

In the case of a Flash movie, the Adobe Flash Player executes the following actions:

  1. Initializes the Flash Stage object
  2. Calls the constructor of the Flash movie itself (Sprite object or Movie Clip object)

Behavior 2: Embedded SWF file

In the case of an SWF file embedded in a Flash movie, the Adobe Flash Player executes the following actions:

  1. Calls the constructor of the Flash movie itself (Sprite object or Movie Clip object)
  2. Initializes the Flash Stage object

It follows that any embedded Flash movie that refers to the Stage object in its constructor will run into a "null pointer exception", because the Stage is not initialized at that point.

In order to crawl SWF files during a scan, AppScan Standard loads those files in its own Flash container. While this should not influence the way the Flash files behave, due to the inconsistency mentioned above, when the movie is loaded into the AppScan Standard container, the Adobe Flash Player will default to Behavior 2 (instead of the expected Behavior 1). If the movie includes any reference in its constructor to the Stage object, AppScan Standard will find a null pointer and will be unable to load the movie.

Workaround

Given the current Adobe Flash Player functionality, the only workaround for this issue is to make a small change to the SWF files of the site being scanned. This change will not affect the functionality of the Flash movie, and will not pose any security risk for the SWF file in question.

Code example:

Typical structure of the problematic SWF file: 

	package {

		import flash.display.*; 
		import flash.events.*; 

		public class TestSample extends MovieClip {

			public function TestSample(){ 

				// Begin initialization tasks 
				// There may be one or more references to the Stage object here 

				// For example: stage.addEventListener(MouseEvent.CLICK,MouseClicked); 

				// End of initialization tasks 

			}
			// other functions – no change required

		}

	}

The solution is to copy the initialization tasks:

	package { 

		import flash.display.*;
		import flash.events.*;

		public class TestSample extends MovieClip {

			public function TestSample(){ 
				this.addEventListener(Event.ADDED_TO_STAGE, solutionToFlashProblem);
			}

			private function solutionToFlashProblem(e:Event):void 
			{ 

				// Begin initialization tasks 
				// There may be one or more references to the Stage object here
				// For example: stage.addEventListener(MouseEvent.CLICK,MouseClicked);

				// End of initialization tasks

			}
			// other functions – no change required
		}
	}

All that has been done is to copy the content of the constructor into a callback function that will be invoked when the current class is added to the Stage object. When that happens, the Stage object will be initialized and the Flash Player will therefore follow Behavior 1.