Flash (In)Security

By | December 3, 2006

As Flash evolves from being a web toy to an interface for Rich Internet Applications, the security issues with Flash are becoming more important. The very term Flash Security is an oxymoron. Anything running on the client-side is inherently insecure. Furthermore (and often more importantly) anything communicating from the client to a server (especially if that server is connected to a database) is under threat and extremely vulnerable.

The first thing to be aware of is that ANY code you put in your Flash SWF file is readily available to anyone that has access to it. With a free decompiler like Flare or the more robust commercial product ActionScript Viewer, every line of code in your movie is accessible and readable in seconds.

People debate the virtues of having an ActionScript decompiler all the time. But what I´m talking about here isn´t stealing someone else´s code snippet and claiming it as your own. What I´m talking about is the information contained in your code (things like data server URLs, passwords, Flash Remoting and Communication Server connection strings, etc.). It doesn´t matter if you are using Flash Remoting or any other type of middleware (ASP, PHP, ColdFusion, etc.). If you are passing inputs to the server, there are a wide variety of ways to attack it.Read Full Story

Leave a Reply

Flash (In)Security

By | December 3, 2006

As Flash evolves from being a web toy to an interface for Rich Internet Applications, the security issues with Flash are becoming more important. The very term Flash Security is an oxymoron. Anything running on the client-side is inherently insecure. Furthermore (and often more importantly) anything communicating from the client to a server (especially if that server is connected to a database) is under threat and extremely vulnerable.
Continue reading

Leave a Reply