Yesterday, I received a post in the Pen-Test mailing list requesting for tips/resources on penetration testing of flash applications.  While there are some tools and white papers available, I could not find many authoritative resources which wraps the entire spectrum of flash security testing of RIA applications. So here is an endeavor to detail out the steps of testing.  I will keep this post only to outline the essential steps or points.  Please feel free to recommend additional inclusion of tools and techniques.  The idea is to come up with a comprehensive paper which can be used by pen-testers to test flash based Rich Internet Applications (RIA).
Wiki on Flash Security (maintained by fukami)
Flasm is an assembler/disassembler for Flash actionscript bytecode.Using flasm, script authors may learn how actionscript compiler and Flash Player virtual machine work, and tweak the compiled bytecode in SWF files for performance.
High level programming langugae that compiles into JavaScript or Actionscropt
Flare processes an SWF and extracts all scripts from it.
