WebApp Sec mailing list archives
Re: Flash sites
From: ADex <hercules_84058 () yahoo com>
Date: Sat, 6 Sep 2003 09:13:54 -0700 (PDT)
As with most things regarding security. The "safest" or most secure thing is reliant upon the person securing it, and the tools they use in order to aid them in doing so. Although you didn't mention the server aspect, directly, I do agree that the server is ultimately what you want to secure, and also potential information that may leak either from the file or the server. You've brought up an interesting point, and I would have to say that in my opinion to limit the flash file's interaction with other scripts, processes, or files you are limiting the insecurity somewhat, but it could also be argued that you were increasing the insecurity as well. For instance limiting the information you want to present to a user to one flash file, or even multiple flash files, would allow you to prevent the server from having much interaction with the file, or indirectly the client thereby decreasing the insecurity. You have to consider, as others have said, that flash files are client side, and any information they contain is open to anyone who wants to read it thereby increasing the amount of insecurity. On the other hand if your flash file were to connect to another script, file, or service, it would yes increase the amount of security constraints, but it would also allow you to secure them seperately and protect the information contained within them. Therefore I say that the security is ultimately determined by the person securing it. It has generally been my contention that it is better to use multiple layers of security as opposed to a single layer (as most would probably agree). But bringing in multiple layers of security also brings in more potential vulnerabilities, and also more work for the person in charge. From an auditing aspect I agree with the consensus of the rest of the group in saying that you are likely to find little problems from a flash file isolated from everything else. I wouldn't agree that it would be the safest simply because the potential information that may escape to the client side, and if nothing else the designer's name, and methods of design could be considered valuable information in some cases, which is most often included somewhere within the flash file. But this is also the case with a simple HTML file linked to nothing else. Summary: I think that it is about 50:50 between security and insecurity. And probably just as secure or possibly less than other client side web languages. Aj Dexter
On Wednesday, September 3, 2003, at 09:14 AM, John Madden wrote: Hello all, If a web site contains only flash files and has no write permissions to modify those flash files, no default files or other potentially dangerous scripts can we say that is the "safest" form of a web site ? Are there any other concerns in auditing a flash based site ? Thanks John _________
__________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
Current thread:
- Flash sites John Madden (Sep 03)
- Re: Flash sites Thomas Chiverton (Sep 04)
- Re: Flash sites RSnake (Sep 04)
- Re: Flash sites Max Moser (Sep 04)
- Re: Flash sites RSnake (Sep 04)
- Re: Flash sites Jean-Jacques Halans (Sep 04)
- Re: Flash sites Jeremiah Grossman (Sep 04)
- Re: Flash sites ADex (Sep 06)
- <Possible follow-ups>
- RE: Flash sites Nick Duda (Sep 03)
- RE: Flash sites Mathew C. Beckman (Sep 04)
- RE: Flash sites Piet Carpentier (Sep 04)
- Re:Flash sites leorl (Sep 04)
- FW: Flash sites GRIFFITHS ian (Sep 05)