Starting Points

OWASP Flash Security Project - most everything here is listed there.... I should have looked at OWASP first!

Useful Security Papers & Prezos

Analyzing (malicious) SWF file actions

A Lazy Pen Tester’s Guide to Testing Flash Applications

Tools

SWF

Flare

swftools - a collection of utilities for working with Adobe Flash files (SWF files). The tool collection includes programs for reading SWF files, combining them, and creating them from other content (like images, sound files, videos or sourcecode)

JSwiff - 'The aim of the JSwiff project is to create an open source, pure Java framework for Macromedia Flash file creation and manipulation.''

• https://github.com/sporst/SWFREtools

  AMF

pinta - a utility that allows a developer to make custom AMF service calls, and view detailed output. The developer can use this utility to test services without having to develop a client application. AMFPHP service discovery can be used to detect available services, or they can be defined manually.

Deblaze - remote method enumeration for Flex servers

AMFShell