FlasHack (III)



Welcome back to the FlasHack posts, today we are going to discuss the Flash Local Shared Objects or also knows as Flash cookies.

These are files used by Adobe Flash to store information related to the movies and store some information that is going to be interesting during a pentesting or a forensic assessment. They are stored in different places in each operating system:


  • %APPDATA%MacromediaFlash Player#SharedObjects<random code><domain><path – maybe°><object name>.sol


  • ~/.macromedia/Flash_Player/#SharedObjects/<random id>/<domain>/<path – maybe°>/<flash filename>.swf/<object name>.sol

The information is stored in a binary format, actually in AMF format, so a lot of tools allow you to edit them. And what we can do with these files…..? Let’s check!


These are the folders Adobe has generate into my machine. Well… the websites I visited have generate. You can discover the domains and the last access date, information which is really handy when we are doing a forensic analysis. These folders can reveal a possible third-party domain where a malware was hosted, per example.

To edit the information inside the files we have a lot of programs but I discover recently one very nice named .minerva. This is an AIR application, that also has a JavaScript beautifier, that can open Flash cookies and easily edit them.


In this case I edited a .sol file from the fibatv.com domain. I was watching the streaming and the cookie stored that I chose the high quality streaming. I know it’s not very exciting but sometimes we can found interesting information in the save games from Flash games 

So… remind to delete also the Flash cookies when you erase your browser history!!! Or someone can discover you visited THAT website