My Pentest Log -2- (Fuzzing + Information Disclosure)
Greetings from Constantinople to all,
I would like to tell you about the information disclosure finding that I obtained through a file I encountered during the penetration tests.
Throughout the article, the application name will be specified as private.com
1. I was asked by our project manager to test on private.com.
2. I started my “white box” test after giving necessary information.
3. As I always do, I validate the scope and start fuzzing processes on the app.
4. During the fuzzing process, I encountered a “.swf” file, which was normal because it was a widely used file.
SWF file is an Adobe flash file format which contains videos and vector based animations.
5. So what did this file mean for us security guards? In the past years, information disclosure processes over “swf” were very common, but today it is not very common, but I still wanted to check it.
6. And I examined the code blocks of the target swf file with the “swf decomplier” tool.
The tool I use:
https://www.softpedia.com/get/Internet/WEB-Design/Flash/JPEXS-Free-Flash-Decompiler.shtml
7. While doing the necessary investigations, I got “user names” that could be useful for me during the tests, although it is not important in some code blocks.
Summary :
During some tests, we can obtain .swf and similar files, especially in tests where the scope is limited, such files are of great importance for us, so if possible, you can examine the swf files in this way and encounter various information leaks.