As it had been mentioned before there some standard tools that can be utilized for assessing a flash based web application.

http://www.nowrap.de/

Offers two different applications. One is flare and the other one is flasm. The first just extracts the ActionScript of a swf file. Nothing else gets extracted. The later disassembles the complete file. Therefore both should be used to get the complete picture.

http://www.owasp.org/index.php/Category:SWFIntruder

Is an OWASP project that helps with the practical application exploitation. Basically you download the flash from the web site and place it on a local running Apache web server. It must be seen more as a framework as you can define your own attacking strings and so for. There are a few exploitation strings that come along but more focused on XSS within the swf file. This should never be the only tool utilized during the assessment and more seen as an exploitation framework. The main problem is of course that you do the exploitation on your on machine and therefore the client can easily argue against it.

https://h30406.www3.hp.com/campaigns/2009/wwcampaign/1-5TUVE/index.php?key=swf

SWFScan from HP does a really good job in decompiling the swf file and analyze it for known weaknesses. This should defiantly be part of the assessment.

All this tools have of course the limitation that they do not take the communication with the database into account. SWFScan looks for insecure calls from the swf file but that does not give you a complete picture.

Therefore it is essential to perform a complete web application test. The fash application normally results in quite a lot of post requests.

The problem you are facing with such a test is that you have to scope it. The best approach from my point of view is to look at the application and make an estimate of how many interactions the user has with the application and how many calls the application does to the infrastructure (web server, database, etc.)