Is this a web application vulnerability?

Question

I am passing a variable to a SWF file that provides access to several other SWF files. You can see the line I am using to assign the value to the variable beneath the THIS LINE comment below.

    <script type="text/javascript">
                /*THIS LINE*/
                var flashvars = {a: "<%= User.Identity.IsAuthenticated %>"};
                /*
                   Some other stuff here...
                */
        swfobject.embedSWF("index.swf", "myAlternativeContent", "100%", "100%", "10.0", "expressInstall.swf", flashvars, params, attributes);
    </script>

I am concerned that someone using an HTTP proxy could just switch the value of a from False to True if they wanted access. Am I right to be worried?

Is there a different way I should be controlling whether access to the child SWF is allowed?

Answer 1

I would say don't emit anything that they don't have access to. In this case, if they aren't authenticated, don't send any of that script to the browser.

Yes, you should be concerned.

Assuming you can't change the flow (ie: you have to send the script even if they aren't authenticated), then I'd change the "true/false" value to some type of key. The children should verify the key was passed before executing.

If possible, make the key user specific.

This doesn't completely solve the issue, but it would be harder for someone to provide a key that they don't have.

UPDATE:
Based on the very good comments, I have a different route.

Add a web request handler (.ashx file) to the site. Have the client call that to load the swf file. The handler should first test to see if they are indeed logged in. If they are, serve the file. If not just close the connection.

Basically change the embed line to look something like:

swfobject.embedSWF("grabFile.ashx?id=123", "myAlternativeContent", "100%", "100%", "10.0", "expressInstall.swf", flashvars, params, attributes);

Then have a .ashx request handler on your site test for being logged in prior to response.writing the actual contents of the swf file.

Answer 2

Yes, they could. Security doesn't work on the client side, you'd have to control access to the files from the server.