WebApp Sec mailing list archives
Re: Flash sites
From: RSnake <rsnake () shocking com>
Date: Thu, 4 Sep 2003 08:23:26 -0700 (PDT)
I am having a hard time understanding how that is a security hole, or a security fix. If there is no secure information in the Flash file to begin with, and he is simply interested in securing the webserver, and it makes no outside calls to databases or scripts of any kind, it is not a dangerous binary. Further, using multiple flash files wouldn't stop anything. If you can decompile one flash movie, you can see where it points to for the next flash movie ("/flash/secure_movie.swf") and then go directly to that file, decompile it, etc... I'm assuming everyone realizes putting sensitive information inside a flash file is the same thing as hiding it in html. If it gets viewed by the client it was sent over a network (which could be dangerous) and it is stored in memory on the client which can then closely examine it. This is all using the assumtion that John gave us, and that the Flash movie does not use any calls to local scripts on the host. A lot of people on this list are coming up with arguments about how to use Flash to break into databases, but John said that is not the way his site is built. On Wed, 3 Sep 2003, Max Moser wrote: | Date: Wed, 3 Sep 2003 20:28:47 +0200 (CEST) | From: Max Moser <max.moser () moser-informatik ch> | To: chiwawa999 () yahoo com | Cc: webappsec () securityfocus com | Subject: Re: Flash sites | | Hi there, | | No. | | Flash is one of the most insecure way to do a website. We released a | while ago a paper about modifying flash online games. See | http://www.remote-exploit.org. | Applications with flash are basicaly the same. I actualy analyse the | different authentication methods using flash, and most of then can be | bypassed using a debugger. | Remember flash is a movie. A very simple authentication is done by stopping | at frame (x) and doing some fany scripts to proove the password etc... and | then, if its right jump to frame (z) othrwise go to frame (y). | So hey, flash is running on the client inside hes memory, so what prevent | me to modify the memory to force flash to jump to Z instead of y. | I dont want to tell every scriptkiddy how to do it, but i promise, i will | release my whitepaper when i finished my analysis. | Basicaly an advice, use more than one flash movie for the site. | | Greetings | | Max | ___ | > Hello all, | > | > If a web site contains only flash files and has no | > write permissions to modify those flash files, no | > default files or other potentially dangerous scripts | > can we say that is the "safest" form of a web site ? | > | > Are there any other concerns in auditing a flash based | > site ? | > | > Thanks | > | > John | > | > __________________________________ | > Do you Yahoo!? | > Yahoo! SiteBuilder - Free, easy-to-use web site design software | > http://sitebuilder.yahoo.com | | | -R The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is expressly prohibited and may be unlawful.
Current thread:
- Flash sites John Madden (Sep 03)
- Re: Flash sites Thomas Chiverton (Sep 04)
- Re: Flash sites RSnake (Sep 04)
- Re: Flash sites Max Moser (Sep 04)
- Re: Flash sites RSnake (Sep 04)
- Re: Flash sites Jean-Jacques Halans (Sep 04)
- Re: Flash sites Jeremiah Grossman (Sep 04)
- Re: Flash sites ADex (Sep 06)
- <Possible follow-ups>
- RE: Flash sites Nick Duda (Sep 03)
- RE: Flash sites Mathew C. Beckman (Sep 04)
- RE: Flash sites Piet Carpentier (Sep 04)
- Re:Flash sites leorl (Sep 04)
- FW: Flash sites GRIFFITHS ian (Sep 05)