Jump to content

ajoo

Members
  • Content Count

    717
  • Joined

  • Last visited

Everything posted by ajoo

  1. ajoo

    a suspicious pop-up

    Hi all, I used my localhost after a long time. The embedded flash movie tries to load data from the server via a file called testfest.php when the browser blocks a pop which has this message. pop up blocked on the page : http://localohost/myproject/undefinedtestfest.php Does this indicate something malicious? Should I unblock the pop-up and see what happens or maybe that would be unsafe? If this is suspicious then what should i be checking for ? Thanks all !
  2. ajoo

    a suspicious pop-up

    Hi requinix !! Thanks for the reply. You know, at first, I thought the "undefinedtestfest.php" was a file on some remote server trying to do something fishy. Taking a closer look, i assumed that maybe it was a php error, (only that it was a funny way to do it), but then I thought why would the server report something in this manner and not the usual way? But then again I thought since the scripts are invoked through an embedded movie, probably that's why it's displaying in this manner. It never thought that this could be a JS error, probably because I was concerned it maybe someone trying something fishy on my machine through a malicious script. I'll look into the js. Thanks loads !
  3. Hi all. The code embedding the swf file using AC_RunActiveContent.js looks as below: <script type="text/javascript" > AC_FL_RunContent('codebase','http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0','width','800','height','580','align','middle','src','FlashWebsite','quality','high','bgcolor','#ffffff','name','FlashWebsite','allowscriptaccess','sameDomain','pluginspage','http://www.macromedia.com/go/getflashplayer','movie','FlashWebsite' ); </script> 1. I would like to run this off a .js file so that this could be CSP compatible & would replace the above code. 2. I also need to pass two php variables as FlashVars in the above code. For eg like this FlashVars = "var1=$var1&var2=$var2" So I would need to pass these two variables from php into the .js file that i wish to create in 1. i would be much obliged for any help on this. Thanks all !!
  4. Hi Guru Barand & all ! Please can someone help me out with this. @Guru Barand: SIr it's not working even when I put the params directly in the JQuery as in #3. Kindly guide. Thanks all !
  5. Hi Guru Barand, Thanks for the reply ! I just tried as follows : In the HTML HEAD block I added <head> <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/3.1.1/jquery.min.js"></script> <script language="javascript">AC_FL_RunContent = 1;</script> <script src="AC_RunActiveContent.js" language="javascript"></script> <script type="text/javascript" src="fl.js"></script> </head> & created the fl.js simply as $(document).ready(function(){ if (AC_FL_RunContent == 0) { alert("This page requires AC_RunActiveContent.js."); } else { AC_FL_RunContent( 'codebase', 'http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,0,0', 'width', '550', 'height', '400', 'src', 'AS3_swf_php_comm_1', 'quality', 'high', 'pluginspage', 'http://www.macromedia.com/go/getflashplayer', 'align', 'middle', 'play', 'true', 'loop', 'true', 'scale', 'showall', 'wmode', 'window', 'devicefont', 'false', 'id', 'AS3_swf_php_comm_1', 'bgcolor', '#ffffff', 'name', 'AS3_swf_php_comm_1', 'menu', 'true', 'allowFullScreen', 'false', 'allowScriptAccess','sameDomain', 'movie', 'AS3_swf_php_comm_1', 'salign', '' ); } }); leaving aside the flashvars for the moment. If i paste the contents of fl.js using <SCRIPT>tags directly in HTML, all works fine. But with the fl.js as above, I get a perpetually loading fevicon symbol and the disabled flash player symbol saying "Click to enable Adobe Flash Player". There is no other error or anything else in the chrome inspector. If I comment out the params section in the fl.js and simply put an alert, the messages appears and there is no perpetual fevicon. Of-course no running swf either. Please help. Thanks.
  6. Hi all, I have a website with a secure login. Once logged in, I can invoke an embedded actionscript movie. This embedded movie then invokes a php file on the server. I have the headers information below: index.php?ppage (logged in) best.php?r='xxxx..' (invoked the embedded movie that invokes best.php) I have this feeling that the file best.php invoked by the movie is not being done securely enough because it's called off the movie and I cannot figure out what should I be checking to ensure that the movie invoking best.php is the correct one. I hope I am able to convey my doubt clearly enough. I hope that the experts can either confirm or allay my fears. Thanks all.
  7. Hi requinix yes that's correct ! If I may bring to your attention to some of the questions I asked previously. This is to tie best.php to the session to ensure greater level of security perhaps. and finally I am not sure how to create this key using different parameters. Please illustrate with a small example code if that is not too much trouble. Thanks loads.
  8. Hi requinix ! Thanks for the reply. I am passing it through as a encoded string into the loading movie. It works. Maybe you could just demonstrate how to use the timestamp, domain and a message together with the secret key. The function usage is straight forward. Now that I think about it, the best.php, that's invoked by the loading movie is lying on my server but is not connected to my main movie. It's as if the movie tunnels through and invokes best.php. The question is how do i tie best.php to the movie through sessions. If i generate a hash_mac in the HTML/ PHP file that embeds the loading movie, ( the dummy movie), how do I pass this hash_mac value to best.php, since the two are really not connected through a session ? I hope this is clear to you. Thanks a ton.
  9. Hi requinix, Thanks loads ! The network tab won't give away the movie URL since I am not using a URL to load the movie. Shouldn't the server create the hash of (#1 in your reply) and pass it along with the movie. Then the movie should pass that back to the server, which will verify the hash along with the time window, and then invoke best.php which will load the 2nd movie? Maybe that's what you are saying and i am interpreting it wrong? Please May I request a small implementation ex. of the hash_hmac using timestamp, domain_name, and a secret key. Thanks loads.
  10. Hi dalecosp & requinix, Thanks for the replies. @dalecosp : hmm, that's what I did and that's where I got the response and request headers from. What should i further check for under the network tabs? @requinix : I think I have already put in quite a bit. If possible, that is what i would like to prevent. The first movie is a dummy to load another through the script. The first movie checks for the domain and if it is on the correct one, it loads the 2nd movie via the php script. Right now I am not sure if the script can be run without the movie or not. I know that movies are never truly safe, yet I want to make it as safe as i can by making it difficult to access. Thanks.
  11. Hi, Is it possible to read the bytecode of a an uncompressed swf file into a binary array in php? If so, how? Thanks all !!
  12. Hi Kicken, Thanks for the reply. I have actually tried out your suggestion and I could manage to send the swf, loaded into a string using file_get_contents, into flash. If I echo out the string in php, this is what it gives. But strangely, the length of the string = undefined in Flash. So I am unable to manipulate it. Does this have to do with the fact that the .swf is a binary file format? How can I then store and retrieve it back as a byteArray? Thanks loads.
  13. Hi Kicken, Thanks for the reply. I want to read the swf as it's binary executable form and store that into an array. Bytecode is the binary executable that is loaded into memory when executing a .swf file. Thanks.
  14. Hi requinix ! Thanks for the reply. I think maybe I was not able to explain the problem clearly enough. As t happens I needed to make only a few changes in the code in loaddata.php and jquery to get it working. Thanks you.
  15. Hi all ! I am using this tutorial and I am modifying it to include csrf protection. The index.php uses getToken(); to generate an anti-csrf token which is then inserted in the form as a hidden input field as below: <tr> <td> <select id="country_dropdown" > <option value="-1">Select country</option> <?php while($stmt->fetch()) { ?> <option value="<?php echo $country_id ?>"><?php echo $country_name ?></option } <?php // token added as hidden field echo '<input type = "hidden" name = "token" value = "'.$_SESSION['token'].'" />'; ?> </select> </td> </tr> <tr> <td> <select id="state_dropdown" > <?php echo $_SESSION['token']; // debug ?> <option value="-1">Select state</option> </select> <?php // The token does not change even when it is changed in loaddata.php. The change values // does not get reflected here. So adding the below code is useless, so commented out. // echo '<input type = "hidden" name = "token" value = "'.$_SESSION['token'].'" />'; ?> <span id="state_loader"></span> </td> </tr> This scheme works if the same token is to be used for all drop downs. If I change destroy and change the token in loaddata.php, the ajax response file, where the data is sent and received from for proceeding to the next drop-down, the change in the token value is not reflected in the index.php since, i guess, that file is not refreshed to load the new token value. So how can I make this work? Please help. Thanks !
  16. Hi all, I would like to clarify 2 aspects of flash security and confirm if they can be intermixed to make an attack. SO the aspects areis :- 1. The flash application on the original domian is embedded by a hacker/cracker in another page served from another (hacker) domain. 2. The flash is decompiled and served from the hacker domain. The one that actually worries me and i would like to ask about is the intermixing of the two. Let's assume that the flash application (swf file) has been downloaded and de-compiled by a hacker and he removes whatever little protection there is in there to check if the swf is running in it's original domain . Now he can upload that into another domain (hacker domain) and serve it from there. The question is a) What about the data that the movie requires to be run. This data is placed on the original server. Can hacker domain somehow get the data from original server in real time and server it to users from hacker domain to whomsoever? if so how and how difficult it would be. b) if the original server uses secured sessions and user verification (via a login panel of-course) before serving the files , would the above (a) still be possible if at all ? c) What if the hacker is also a legitimate user and is able to log in into the original server as a user? Or is that not a big deal ? if the data can be hijacked and used in real time by the hacker domain, what measures can effective block it and prevent it? Thanks all !
  17. Hi all, I have a linux VM on my Windows computer and I use that for testing. I also have a xampp installed on my Windows machine and that is the default local host for the windows machine. So is it possible for me to make the VM act as a localhost for the windows machine as well? If so, how? I hope that my question is clear. I need to do this since I it's difficult to debug my flash files as the rest of the project is on the VM. I don't want to take move all the stuff back into the windows machine just to test the flash files there. Thanks all !
  18. Hi, Thanks Kicken & Gizmola, Thanks for the reply and suggestions. I am. in fact, already doing as suggested by you both. The problem lies with flash files that (i think) can be run only in the windows environment.To test locally on flash therefore I needed to work in windows and so needed the localhost on windows. In any case, I have eventually ported portions of the code in windows and am able to test locally now using localhost. Thanks very much !
  19. ajoo

    an exact string match only

    Hi all, I want to know if it's possible that the regex matches for the exact subject string, instead of checking for the match anywhere inside of a string. to take an example, if the regex is /([A-z0-9])\w+\.\w{3,4}/ and the subject string is , (i.e. the one within the double quotes.) "'sjvjhvbj.bnm'lsjksnkboubouboubsoubsobob.txt" then because the string begin's with a single quote, it should return a mismatch. That is what I would like to achieve. What is happening is that it finds a pattern match inside the string as : sjvjhvbj.bnm which is not what is desired. Thanks all !
  20. ajoo

    an exact string match only

    Hi, Yea so it fails there as well. Great ! Thanks.
  21. ajoo

    an exact string match only

    Hi Psycho ! Thanks for the reply. Actually I tested it online here with a whole bunch of strings and it seemed ok. I was just trying to be doubly sure and so asked for your affirmation. Thanks very much for the code snippet. These, by the way, array("abcd.abc!", 'Pass'), array("abcd.abcd!", 'Pass'), array("abcd.abcde!", 'Pass') failed when i tested them online as I would want them too. I will check them using the snippet as well. Thanks.
  22. ajoo

    an exact string match only

    Hi psycho ! Thanks for the response ! Yes you understood it right. That was almost what i wanted. I also wanted that it should give a mismatch if there is any character in the subject string which is not allowed by the regex. The following seems exactly right so far i could test. /^([A-z0-9])\w+\.\w{3,4}$/ If you can verify that I'ld be grateful. One more thing, even though it seems not required because of the regex now takes care of it, what if i wanted to ensure that there can be only one dot in the string? How could that be achieved. Thanks loads !
  23. Hi, Below is how I am handling the database data before I display it on a page. . $query = "SQL QUERY to retrieve some data"; . . while ($stmt->fetch()) { $fname = html_escape($fname); $lname = html_escape($lname); $city = html_escape($city); $cell = html_escape($cell); // verify that $xid is numeric. if(($xid = fcheckNumber($xid)) === false) die('Internal error. Conatct Admin'; // verify that $role has a valid value against a set of values. if(($role = html_escape(fcheckRole($role)))=== false) die('Internal error. Conatct Admin'; // verify that $email is correctly formatted as an email should be. if(($email = html_escape(fcheckEmail($email)))=== false) die('Internal error. Conatct Admin'; // verify that $status is numeric. if(($status = fcheckNumber($status))===false) die('Internal error. Conatct Admin'; . . . display the above data in a form. } My questions are: Is this the right way of handling the data before I display it on a form or am i overdoing it with all the checks and die statements? Am I missing out some other security aspect here ? Then there are instances where i use verify a SESSION variable or a POST / GET variable similarly. if(($xid = $_SESSION['xid'])===false) die('Internal Error. Contact Admin'); OR if(($xid = $_POST['id'])===false) die('Internal Error. Contact Admin'); Is this alright or can I skip some of these checks ? I'd like to mention here that I use prepared statements for all queries and the same data verification as above when I add the data to the database. I do not html escape any data that is put into the DB. Thanks all !
  24. Hi all !! Sorry for the delayed response as I was away for a few days. @ginerjm : Yes that's correct. bind_result($lname, $ fname, $date, ...); @stratadox : Correct ! Thanks for that. You are right. I have only recently, since my last 2 posts, added the html_escape to the fcheck functions missing out on some good advise by Guru Jacques of using the html_escape function only while outputting the data. My fault. Thanks a lot for pointing out this blunder. @ Guru Barand : It would be great to hear your views on this. I mean on the idea of checking / validating the data fetched from the DB. Should it be done or not as every one else seems to think that it's redundant. @ Phi11W: Hi, Thanks for reply. May I request you to elaborate on this. Irrespective of whether I check the value of the data from the DB or not, wouldn't this happen anyway if a site is hacked and data compromised? Thanks all !
  25. Hi Psycho, Thanks for the advice. I won't really use die, but then can't this be considered as an extreme case if I find that data stored in the database, which was stored after data validation, has a different data type than was initially inserted, on retrieval from the DB. However I intend to use the I think I am doing exactly as you have mentioned in 2 and 3. i.e. I am doing the validation before saving the data to the database if they pass the criteria. I do not sanitize any inputs or change them in any way. I escape the output only while displaying the data from the DB. I am however validating the data from the DB upon retrieval. I thought it was a bit cumbersome but I am doing it anyways. Thanks loads !
×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.