Rapid7 Adds Dynamic Flash Analysis to NeXpose

Rapid7, a Boston-based provider of vulnerability management and penetration testing solutions, today announced that its NeXpose product now provides full Adobe® Flash decompilation and analysis support. With the new feature, Rapid7’s Web application scanning goes beyond basic Flash support with the ability to discover more vulnerabilities and improve intelligence in Flash analysis.

Adobe’s Flash player has been an increasingly attractive target for malicious hackers, and while many vulnerability scanners do check Flash player security, most are unable to provide the deep inspection of Flash applications that run in the environment, leaving both clients and servers unprotected from many dangerous security issues, including remote hijacking, SQL injections and malicious SWF files.

Rapid7’s support for Web application Flash content enables NeXpose 4.10.4 users to conduct vulnerability scans that provide a deeper level of analysis on all websites and discover more vulnerabilities. This protects both the consumer of the website against XSS attacks, as well as the hosts of the website against other vulnerabilities. The new capability enables Rapid7 users to analyze Flash forms, which can uncover more potential injection points in the application, information disclosures and coding mistakes. For example, users can now find pages only linked from Flash menus, discover hard-coded credentials in Flash elements and analyze HTTP POST requests in Flash forms for injection vulnerabilities.

“As companies face increasing Web application attacks today, especially with Adobe Flash and its excessive risks, it has remained our goal to stay ahead and proactively offer a broad range of Web security best practices, including solutions for NeXpose and Metasploit,” said Mike Tuchen, president and CEO, Rapid7.