Re: Flash sites

["Max Moser" <max.moser () moser-informatik ch>]

Hi there,

No.

Flash is one of the most insecure way to do a website. We released a
while ago a paper about modifying flash online games. See
http://www.remote-exploit.org.
Applications with flash are basicaly the same. I actualy analyse the
different authentication methods using flash, and most of then can be
bypassed using a debugger.
Remember flash is a movie. A very simple authentication is done by stopping
at frame (x) and doing some fany scripts to proove the password etc... and
then, if its right jump to frame (z) othrwise go to frame (y).
So hey, flash is running on the client inside hes memory, so what prevent
me to modify the memory to force flash to jump to Z instead of y.
I dont want to tell every scriptkiddy how to do it, but i promise, i will
release my whitepaper when i finished my analysis.
Basicaly an advice, use more than one flash movie for the site.

Greetings

Max
___
> Hello all,
>
> If a web site contains only flash files and has no
> write permissions to modify those flash files, no
> default files or other potentially dangerous scripts
> can we say that is the "safest" form of a web site ?
>
> Are there any other concerns in auditing a flash based
> site ?
>
> Thanks
>
> John
>
> __________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software
> http://sitebuilder.yahoo.com