Re: Flash sites

[RSnake <rsnake () shocking com>]

        I am having a hard time understanding how that is a security hole, or a
security fix.  If there is no secure information in the Flash file to begin
with, and he is simply interested in securing the webserver, and it makes no
outside calls to databases or scripts of any kind, it is not a dangerous
binary.  Further, using multiple flash files wouldn't stop anything.

        If you can decompile one flash movie, you can see where it points to
for the next flash movie ("/flash/secure_movie.swf") and then go directly to
that file, decompile it, etc...  I'm assuming everyone realizes putting
sensitive information inside a flash file is the same thing as hiding it in
html.  If it gets viewed by the client it was sent over a network (which could
be dangerous) and it is stored in memory on the client which can then closely
examine it.

        This is all using the assumtion that John gave us, and that the
Flash movie does not use any calls to local scripts on the host.  A lot of
people on this list are coming up with arguments about how to use Flash to
break into databases, but John said that is not the way his site is built.

On Wed, 3 Sep 2003, Max Moser wrote:

| Date: Wed, 3 Sep 2003 20:28:47 +0200 (CEST)
| From: Max Moser <max.moser () moser-informatik ch>
| To: chiwawa999 () yahoo com
| Cc: webappsec () securityfocus com
| Subject: Re: Flash sites
|
| Hi there,
|
| No.
|
| Flash is one of the most insecure way to do a website. We released a
| while ago a paper about modifying flash online games. See
| http://www.remote-exploit.org.
| Applications with flash are basicaly the same. I actualy analyse the
| different authentication methods using flash, and most of then can be
| bypassed using a debugger.
| Remember flash is a movie. A very simple authentication is done by stopping
| at frame (x) and doing some fany scripts to proove the password etc... and
| then, if its right jump to frame (z) othrwise go to frame (y).
| So hey, flash is running on the client inside hes memory, so what prevent
| me to modify the memory to force flash to jump to Z instead of y.
| I dont want to tell every scriptkiddy how to do it, but i promise, i will
| release my whitepaper when i finished my analysis.
| Basicaly an advice, use more than one flash movie for the site.
|
| Greetings
|
| Max
| ___
| > Hello all,
| >
| > If a web site contains only flash files and has no
| > write permissions to modify those flash files, no
| > default files or other potentially dangerous scripts
| > can we say that is the "safest" form of a web site ?
| >
| > Are there any other concerns in auditing a flash based
| > site ?
| >
| > Thanks
| >
| > John
| >
| > __________________________________
| > Do you Yahoo!?
| > Yahoo! SiteBuilder - Free, easy-to-use web site design software
| > http://sitebuilder.yahoo.com
|
|
|

-R

The information in this email is confidential and may be legally
privileged.  It is intended solely for the addressee.  Access to
this email by anyone else is unauthorized.  If you are not the
intended recipient, any disclosure, copying, distribution or any
action taken or omitted to be taken in reliance on it is
expressly prohibited and may be unlawful.