ajoo Posted April 11, 2018 Share Posted April 11, 2018 Hi all, I have a website with a secure login. Once logged in, I can invoke an embedded actionscript movie. This embedded movie then invokes a php file on the server. I have the headers information below: index.php?ppage (logged in) REQUEST HEADER Cookie: PHPSESSID=2tianhri55rl74u42u9jcq90c6; sec_session_id=pmobdo0j6r3o8lt01umcun5ib6 RESPONSE HEADER Set-Cookie: sec_session_id=k74hno7len92op5c7s4lc51oc7; path=/; HttpOnly best.php?r='xxxx..' (invoked the embedded movie that invokes best.php) REQUEST HEADER Cookie: PHPSESSID=2tianhri55rl74u42u9jcq90c6; sec_session_id=k74hno7len92op5c7s4lc51oc7 RESPONSE HEADER Cache-Control: no-store, no-cache, must-revalidate Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Date: Wed, 11 Apr 2018 13:22:44 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Keep-Alive: timeout=5, max=100 Pragma: no-cache Server: Apache/2.4.7 (Ubuntu) Transfer-Encoding: chunked Vary: Accept-Encoding I have this feeling that the file best.php invoked by the movie is not being done securely enough because it's called off the movie and I cannot figure out what should I be checking to ensure that the movie invoking best.php is the correct one. I hope I am able to convey my doubt clearly enough. I hope that the experts can either confirm or allay my fears. Thanks all. Quote Link to comment Share on other sites More sharing options...
dalecosp Posted April 11, 2018 Share Posted April 11, 2018 Check the "network" tab in the console? Quote Link to comment Share on other sites More sharing options...
requinix Posted April 11, 2018 Share Posted April 11, 2018 There is no 100% safe method because everything must be initiated by the client and you cannot control exactly what happens on a user's computer. How much effort do you want to put into this? What do you see as the cost/benefit ratio for addressing this? What is the problem if someone calls the script without the movie? Quote Link to comment Share on other sites More sharing options...
ajoo Posted April 12, 2018 Author Share Posted April 12, 2018 Hi dalecosp & requinix, Thanks for the replies. @dalecosp : Check the "network" tab in the console? hmm, that's what I did and that's where I got the response and request headers from. What should i further check for under the network tabs? @requinix : How much effort do you want to put into this? I think I have already put in quite a bit. What is the problem if someone calls the script without the movie? If possible, that is what i would like to prevent. The first movie is a dummy to load another through the script. The first movie checks for the domain and if it is on the correct one, it loads the 2nd movie via the php script. Right now I am not sure if the script can be run without the movie or not. I know that movies are never truly safe, yet I want to make it as safe as i can by making it difficult to access. Thanks. Quote Link to comment Share on other sites More sharing options...
requinix Posted April 12, 2018 Share Posted April 12, 2018 That Network tab will give away the second movie URL as soon as the browser starts to load it, so you have to make sure it can't be reused. 1. Movie creates a hash of the current time + the domain + a secret key 2. Second movie URL includes that same time, the domain, and the hash 3. URL verifies (a) that the time is recent, like +/- 5 minutes, and (b) that the hash matches what it expects to see The hash method should be something nicer than mere MD5 or SHA1. HMAC would be good. Quote Link to comment Share on other sites More sharing options...
ajoo Posted April 12, 2018 Author Share Posted April 12, 2018 Hi requinix, Thanks loads ! That Network tab will give away the second movie URL The network tab won't give away the movie URL since I am not using a URL to load the movie. Shouldn't the server create the hash of (#1 in your reply) and pass it along with the movie. Then the movie should pass that back to the server, which will verify the hash along with the time window, and then invoke best.php which will load the 2nd movie? Maybe that's what you are saying and i am interpreting it wrong? Please May I request a small implementation ex. of the hash_hmac using timestamp, domain_name, and a secret key. Thanks loads. Quote Link to comment Share on other sites More sharing options...
requinix Posted April 12, 2018 Share Posted April 12, 2018 The network tab won't give away the movie URL since I am not using a URL to load the movie.Then... how are you loading it? Where is it coming from? Shouldn't the server create the hash of (#1 in your reply) and pass it along with the movie. Then the movie should pass that back to the server, which will verify the hash along with the time window, and then invoke best.php which will load the 2nd movie?Sure, the server could do it too. In fact that would be better. Please May I request a small implementation ex. of the hash_hmac using timestamp, domain_name, and a secret key.See the examples in the docs for hash_hmac. Quote Link to comment Share on other sites More sharing options...
ajoo Posted April 12, 2018 Author Share Posted April 12, 2018 Hi requinix ! Thanks for the reply. Then... how are you loading it? Where is it coming from? I am passing it through as a encoded string into the loading movie. It works. See the examples in the docs for hash_hmac Maybe you could just demonstrate how to use the timestamp, domain and a message together with the secret key. The function usage is straight forward. Sure, the server could do it too. In fact that would be better. Now that I think about it, the best.php, that's invoked by the loading movie is lying on my server but is not connected to my main movie. It's as if the movie tunnels through and invokes best.php. The question is how do i tie best.php to the movie through sessions. If i generate a hash_mac in the HTML/ PHP file that embeds the loading movie, ( the dummy movie), how do I pass this hash_mac value to best.php, since the two are really not connected through a session ? I hope this is clear to you. Thanks a ton. Quote Link to comment Share on other sites More sharing options...
requinix Posted April 12, 2018 Share Posted April 12, 2018 The entire second movie is serialized as a string, passed to the first movie, then deserialized and played? Okay, then encrypt the string using a key that's partially derived from the time. Pass the time to the player so it can (validate and) construct the same key to decrypt the movie. Most any encryption algorithm will work for it. Quote Link to comment Share on other sites More sharing options...
ajoo Posted April 12, 2018 Author Share Posted April 12, 2018 Hi requinix The entire second movie is serialized as a string, passed to the first movie, then deserialized and played? yes that's correct ! If I may bring to your attention to some of the questions I asked previously. Now that I think about it, the best.php, that's invoked by the loading movie is lying on my server but is not connected to my main movie. It's as if the movie tunnels through and invokes best.php. The question is how do i tie best.php to the movie through sessions. If i generate a hash_mac in the HTML/ PHP file that embeds the loading movie, ( the dummy movie), how do I pass this hash_mac value to best.php, since the two are really not connected through a session ? This is to tie best.php to the session to ensure greater level of security perhaps. and finally Okay, then encrypt the string using a key that's partially derived from the time. I am not sure how to create this key using different parameters. Please illustrate with a small example code if that is not too much trouble. Thanks loads. Quote Link to comment Share on other sites More sharing options...
requinix Posted April 12, 2018 Share Posted April 12, 2018 I didn't answer not just because I couldn't understand what you were asking but because they pertained to stuff I said earlier which is irrelevant since there's now only one page load (the one that includes the first movie and second movie's data). The main thing I don't know is what you have available to use in ActionScript as far as cryptography goes. The correct tool here is called key derivation, which is a way to create an encryption key given some data that's not good enough to be used as a key on its own. You could do it in PHP but ActionScript is the question... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.