Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Embedded Flash Security

I had a discussion with my colleague about Flash security. We're in the phase of planning some things for our web project that is using Flash plugin to display content. We need to dynamically pull settings for the Flash application from the server, using JSON.

Proposal that I offered was that we should save an extra HTTP request to pull the data file after the plugin is loaded and embed the JSON directly in the page containing the Flash plugin. Flash would fire a Javascript function that'd return the deserialized JSON data to it.

My colleague opposed this proposal with significant "security concerns".

I believe that there's literally zero difference between these two approaches besides the fact that his approach requires additional HTTP request. All of this is client/server and client should never be trusted. If I want to change the data that is in the JSON query, I can do that in both cases. File pull is little more difficult to hack though, but possible with custom HTTP proxy.

What are your thoughts?

like image 441
adamkonrad Avatar asked Oct 24 '22 20:10

adamkonrad


2 Answers

There is no difference. Both can be fabricated.

like image 170
zerkms Avatar answered Oct 27 '22 10:10

zerkms


if you really care that much about delivering original settings to the .swf:

  • don't use http - httpFox is a brilliant plugin - use a server that supports RTMP/RTMPE and NetConnection.call() to retrieve the data.

  • create an algorithm for validating original json so that your app won't work if the config doesn't pass the test.

  • after the config is loaded your swf might check the values with the server (not all at a time) and throw an error if something goes wrong

like image 43
www0z0k Avatar answered Oct 27 '22 11:10

www0z0k