WebApp Sec mailing list archives
Re: Flash sites
From: Jean-Jacques Halans <jj () halans be>
Date: Wed, 03 Sep 2003 21:03:47 +0200
not at all...As your questions itself shows, you probably have a false sense of security,
and therefor probably overlook several security issues. You can grab flash files from the server (view page source, copy url)and then decompile them and look at the actionscript (ex Sothink SWF Decompiler MX 2002 Pro, and others) (cfr crossplatform java .class files). If you want to connect to a database you'd probably use some sort of server side scripting language (asp, php, jsp, whatever) and you'll have the same security considerations (input validation,...). Actionscript itself only does one-way hash encryption (md5 in stead of the stronger SHA-1). It can use https in the browser, but outside the browser there is no way to exchange data securely (using persistant sockets) . There already have been security issues with the flash player, which have been dealth with. Are there still others we don't know of just yet? Later this month a new player (7) will appear (with new vulnerabilities?). There are several security features build in though (sandbox etc). There is an excellent Macromedia document discussing this "Macromedia Flash MX Security" by the excellent Mike Chambers.
http://www.macromedia.com/devnet/mx/flash/whitepapers/security.pdf http://www.macromedia.com/devnet/security/security_zone/ All in all, you shouldn't use Flash just for its security features... JJ John Madden wrote:
Hello all, If a web site contains only flash files and has no write permissions to modify those flash files, no default files or other potentially dangerous scripts can we say that is the "safest" form of a web site ? Are there any other concerns in auditing a flash based site ? Thanks John __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
Current thread:
- Flash sites John Madden (Sep 03)
- Re: Flash sites Thomas Chiverton (Sep 04)
- Re: Flash sites RSnake (Sep 04)
- Re: Flash sites Max Moser (Sep 04)
- Re: Flash sites RSnake (Sep 04)
- Re: Flash sites Jean-Jacques Halans (Sep 04)
- Re: Flash sites Jeremiah Grossman (Sep 04)
- Re: Flash sites ADex (Sep 06)
- <Possible follow-ups>
- RE: Flash sites Nick Duda (Sep 03)
- RE: Flash sites Mathew C. Beckman (Sep 04)
- RE: Flash sites Piet Carpentier (Sep 04)
- Re:Flash sites leorl (Sep 04)
- FW: Flash sites GRIFFITHS ian (Sep 05)