I had some free time recently and was investigating xss through embedded swf objects. I came across the wonderful tool Flasm. Flasm can be used to easily disassemble a swf and reassemble/compile. All you need to do is download it into a folder and run ./flasm -d file.swf > file.flm you can then edit the .flm file and recompile it with ./flasm -a file.flm. I will definitely be playing around with this in future.
I noticed straight away the javascript that was injected upon disassembly. The swf object I created is mak.swf, if you visit this link the code executes javascript:alert("maK says hello! cookie:"+document.cookie). I of course started playing around with it and found it would be very simple to get xss execution through url includes or by embedding it on page. Not many filters seem to accommodate for this!
To embed this swf into a website, use the line I have found this to be very effective and will definitely be investigating such issues further.
Hax Brah!