Jump to content


Photo

Security issues between Actionscript & PHP

ajoo php & flash security

  • Please log in to reply
3 replies to this topic

#1 ajoo

ajoo

    Advanced Member

  • Members
  • PipPipPip
  • 225 posts

Posted 04 November 2013 - 02:29 PM

Hi all, 

 

I am developing an application that involves php and flash. Flash is on the server too in the form of swf file running inside an HTML page. I would like to know what security issues loom large with such applications. I would be happy if someone can come out with some known security issues and also point to some that could occur and should be looked into.

 

I am using Flash 8.0 with actionscript 2.0. I am aware that swf can be disassembled. How easy is that and what can be done to prevent someone from doing so?

 

The interaction of Flash and PHP occurs as follows: Once the client is logged in he can activate the flash movie page which is like a game. The game gets its stored values from a database so the flash connects to php and is fed from it the initialisation values for the movie to start. The movie plays and some values are generated during the game ( almost all integers & 1,2 dates). Once the game ends these values are stored back into the database by flash calling the php and POSTing data into the database through it (php).

 

One question that i wanna ask is that since the program is generating the values, do i need to take the security measures on the posted data and validate and escape it before storing it into the Mysql database? Can these values also be intercepted by a malicious user and changed before the php stores them in the DB?

 

Any knowledge on this that anyone here considers relevant is very welcome,. I would be happy for any and all responses on this issue from all the gurus here and thank you all in advance. Have a great day all !

 

 

 



#2 dalecosp

dalecosp

    Advanced Member

  • Members
  • PipPipPip
  • 307 posts
  • LocationJoplin, MO

Posted 04 November 2013 - 04:53 PM

The interaction of Flash and PHP occurs as follows: Once the client is logged in he can activate the flash movie page which is like a game. The game gets its stored values from a database so the flash connects to php and is fed from it the initialisation values for the movie to start. The movie plays and some values are generated during the game ( almost all integers & 1,2 dates). Once the game ends these values are stored back into the database by flash calling the php and POSTing data into the database through it (php).

 

One question that i wanna ask is that since the program is generating the values, do i need to take the security measures on the posted data and validate and escape it before storing it into the Mysql database? Can these values also be intercepted by a malicious user and changed before the php stores them in the DB?

Yes; I would do some securing of POST.  In particular, if POSTing can be allowed from anywhere (I'm assuming since the Flash is on the client side, it's coming from the WWW at large).  If someone can disassemble the SWF file, they can find out where to POST to.

For that matter, anyone with a packet sniffer or riding tail on a proxy or firewall log can figure out where your Flash is POSTing to.

That done, the door is open to send bogus POST data, and that's why you need to make sure all data coming from outside is sanitized...


Edited by dalecosp, 04 November 2013 - 04:54 PM.

"God doesn't play dice" --- Albert Einstein
"Perl is hardly a paragon of beautiful syntax." --- Weedpacket

#3 ajoo

ajoo

    Advanced Member

  • Members
  • PipPipPip
  • 225 posts

Posted 05 November 2013 - 12:29 AM

Thanks dalecosp, 

 

I'll take that into consideration and do the data validation and sanitizing there. I would be glad to get some more answers on some of the other issues that I have mentioned in this post. Thanks all for their valuable time and helpful comments. 



#4 ajoo

ajoo

    Advanced Member

  • Members
  • PipPipPip
  • 225 posts

Posted 05 November 2013 - 01:00 AM

Hi ! Here's another thing that is more flash specific that I wish to ask. I have in my flash game actionscript on various frames that I have written on those particular frames. Would it be any help to take that actionscript off those frames there and put it in a seperate file in the sense that now if someone decompiles the swf file the actionscript would be safe. Would seperating the code from the movie save the code? If so then how can i do this seperation. 

 

For e.g. If i have code on frames 10 and 30 and at 50 then how can i seperate the code and make sure that it would be executed as is being done now when it is written on those frames. So I don't know if separating the code from the flash swf will save it in case the file is decomiled. 2) if yes, i.e. if this is the safer route - then how can i separate the code and from the movie and ensure the movie runs the same as before. 

 

Thanks !






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Cheap Linux VPS from $5
SSD Storage, 30 day Guarantee
1 TB of BW, 100% Network Uptime

AlphaBit.com