Flash content

This section contains suggestions for scanning Adobe® Flash content.

AppScan® explores and tests Adobe ActionScript 1.0, 2.0 and 3.0, and Adobe Flex frameworks 2.0 and 3.0. Flash parsing and execution are activated from Explore Options view of the Scan Configuration dialog box.

System requirements

In order for AppScan to be able to execute Adobe Flash content during scanning, you must have a supported version of the Adobe Flash Player for Internet Explorer installed. Versions 9.0.124.0 up to 14.0.0.125 are supported.

Note: The Flash Player comes in the form of an ActiveX plugin that is browser-specific. AppScan requires the Adobe Flash Player for Internet Explorer.
Note: In both cases ("Supported Flash Player not installed", or "Flash Player not configured") an alert will appear in the Configuration dialog box and Flash Execution will not run during scans.

Limitations to Flash scanning

The following limitations to Flash scanning should be noted:

  • Since AppScan scans Flash content through a proxy, localhost URLs are not scanned.
  • Issues found are specific to the version of the Adobe Flash Browser for Internet Explorer that is installed on your machine. It is possible that:
    • Your player is vulnerable to the issue reported, but a player for a different browser, or a later version of the player, is not
    • There are issues that your Internet Explorer player is not vulnerable to, and therefore that AppScan does not report, which do affect players for other browsers, or earlier versions of this player

Incomplete URL coverage

The following are suggestions for when you have run a scan and looked at the results and it seems that AppScan has not identified URLs from your Flash content.

Why does AppScan identify some URLs from the Flash content but miss others?

There are a few possibilities:

  • Verify that the Flash movie version is supported. (Unsupported versions are listed in Application Data view under "Filtered URLs.")
  • Play the movie in the Internet Explorer browser, on the machine that ran the scan, to verify that it plays correctly.
  • Check that JavaScript™ Execution (enabled by default) has not been disabled. (Scan Configuration > Explore Options > Execute JavaScript to discover URLs and dynamic content)

The Flash content coverage seems to be incomplete

There are a few possibilities:

  1. Check that the form filler information is complete (Scan Configuration > Automatic Form Fill).
  2. Try increasing the Scan Configuration > Explore Options > Flash > Click limit.
  3. Try increasing the Scan Configuration > Advanced Configuration > Flash: Max time between samples setting above its default value of 160 ms.
  4. Try increasing the Scan Configuration > Advanced Configuration > Flash: Coverage setting from 1 to 2.
  5. Try playing the movie in Internet Explorer to verify that it plays as expected.
  6. If the movie does not play, set the Flash Browser Debug Level to Trace 3, rescan, and send the browser log ([AppScan Standard installation folder]\Logs\AppScanFlashBrowser.log) to your Support provider.

Vulnerabilities not discovered

The following suggestions are for when AppScan has discovered the URLs and added them to the application tree, but has not discovered vulnerabilities in them.

Why doesn't AppScan discover vulnerabilities in the Flash URLs it discovered?

Possible reasons are:
  • There may simply be no suspicious parameters in the movie. Look in Application Data > Script Parameters to see the Flash parameters that were discovered.
  • Check that all Flash tests (ActionScript 2 and 3) are enabled. (Open Scan Configuration > Test Policy, search for "ActionScript", and verify that all tests are selected).
  • The movie may simply not be vulnerable.

What else can I do?

If you still suspect that Flash vulnerabilities are being missed, enable Extended Support Mode, repeat the scan, and send to your Support provider. See Extended Support Mode.