Re: Flash sites

[Jean-Jacques Halans <jj () halans be>]

not at all...
As your questions itself shows, you probably have a false sense of 
security,
and therefor probably overlook several security issues.
You can grab flash files from the server (view page source, copy url)
and then decompile them and look at the actionscript (ex Sothink SWF 
Decompiler MX 2002 Pro, and others) (cfr crossplatform java .class files).
If you want to connect to a database you'd probably use some sort of 
server side scripting language (asp, php, jsp, whatever) and you'll have 
the same security considerations (input validation,...).
Actionscript itself only does one-way hash encryption (md5 in stead of 
the stronger SHA-1). It can use https in the browser, but outside the 
browser there is no way to exchange data securely (using persistant 
sockets) .
There already have been security issues with the flash player, which 
have been dealth with. Are there still others we don't know of just yet? 
Later this month a new player (7) will appear (with new vulnerabilities?).
There are several security features build in though (sandbox etc). There 
is an excellent Macromedia document discussing this "Macromedia Flash MX 
Security" by the excellent Mike Chambers.
http://www.macromedia.com/devnet/mx/flash/whitepapers/security.pdf
http://www.macromedia.com/devnet/security/security_zone/
All in all, you shouldn't use Flash just for its security features...

JJ

John Madden wrote:

> Hello all,
>
> If a web site contains only flash files and has no
> write permissions to modify those flash files, no
> default files or other potentially dangerous scripts
> can we say that is the "safest" form of a web site ?
>
> Are there any other concerns in auditing a flash based
> site ?
>
> Thanks
>
> John
>
> __________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software
> http://sitebuilder.yahoo.com
>
>
>
>