WebApp Sec mailing list archives
Re: Flash sites
From: "Max Moser" <max.moser () moser-informatik ch>
Date: Wed, 3 Sep 2003 20:28:47 +0200 (CEST)
Hi there, No. Flash is one of the most insecure way to do a website. We released a while ago a paper about modifying flash online games. See http://www.remote-exploit.org. Applications with flash are basicaly the same. I actualy analyse the different authentication methods using flash, and most of then can be bypassed using a debugger. Remember flash is a movie. A very simple authentication is done by stopping at frame (x) and doing some fany scripts to proove the password etc... and then, if its right jump to frame (z) othrwise go to frame (y). So hey, flash is running on the client inside hes memory, so what prevent me to modify the memory to force flash to jump to Z instead of y. I dont want to tell every scriptkiddy how to do it, but i promise, i will release my whitepaper when i finished my analysis. Basicaly an advice, use more than one flash movie for the site. Greetings Max ___
Hello all, If a web site contains only flash files and has no write permissions to modify those flash files, no default files or other potentially dangerous scripts can we say that is the "safest" form of a web site ? Are there any other concerns in auditing a flash based site ? Thanks John __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
Current thread:
- Flash sites John Madden (Sep 03)
- Re: Flash sites Thomas Chiverton (Sep 04)
- Re: Flash sites RSnake (Sep 04)
- Re: Flash sites Max Moser (Sep 04)
- Re: Flash sites RSnake (Sep 04)
- Re: Flash sites Jean-Jacques Halans (Sep 04)
- Re: Flash sites Jeremiah Grossman (Sep 04)
- Re: Flash sites ADex (Sep 06)
- <Possible follow-ups>
- RE: Flash sites Nick Duda (Sep 03)
- RE: Flash sites Mathew C. Beckman (Sep 04)
- RE: Flash sites Piet Carpentier (Sep 04)
- Re:Flash sites leorl (Sep 04)
- FW: Flash sites GRIFFITHS ian (Sep 05)