Hello everybody!

I want to discuss in this topic about: "How to build a secure flash application on web". I've been touched recently by this issue and I think that we should have a little talk about it.

I'm talking here about the flash applications that use php server-side scripts and mySQL databases.

We all know that SWF files are open format, so anybody can decompile them and see the AS code. Seeing the AS code leads immediately to knowing the directory structure of the php scripts that reside on the web server. So, if I have an php script that is accessed by using the sendAndLoad() method of the LoadVariable class, then anybody who decompiles the swf file, will know the precise location of the php script on the web server. A person who can access this php script, can also insert data in your database, by sending variables from a form, located on a different web server.

Now, how can we restrict access to this file, so it can be accessed only by other files that resides on the same domain. "By using the HTTP referer" should say some of us. Well, no! The HTTP referer can be faked by tampering the HTTP header data that is sent to the script (POST or GET). Tampering the data allows you to change the value of the variables that are sent through the HTTP header.

I've created a flash game and there were a few users that tampered the HTTP headers sent by the game, so their final score was way over the best players of the game. This was not a nice sensation at all, especially because the game had some prizes. So now I've decided to look for help here.

Thanks to those who will participate!

There's no way to make it tamperproof, since it runs on the client.

However, you can make it very, very hard to tamper. I would suggest opening an xml socket, and sending the game actions to the server as the user is playing the game. This way you can then calculate the score from the game history, instead of having the user submit just any score.

Forging an entire game history is a lot more difficult than forging a header and a highscore.

There are other things you can try in addition to this. For example, you can generate your swf server-side, and include session-specific information inside the swf. Each request from the client would have to send this session-specific information for authentication. A user would need to decompile the swf, extract the session info, submit a fraudulent game history using this info, and do all this before the session expires. The odds of that are extremely unlikely.

You can also try any of the many swf obfuscation tools. But from what I've read none of these actually work.

Hmmm, I was thinking to something much easier. Tell me what do you think about the next method.

1. I send the score through POST, just like before, for example LoadVariables.sendAndLoad('insert_score.php', XML_AS_Object, 'POST').
2. The score is inserted in the scores table and in a separate column of this table we put the value of md5(score . $somekeycode . $currentTime). Let's name the column something like `validation`.
3. In the XML that is returned to AS, that, I guess, it can't be tampered, we send back the score that was actualy inserted and the value that was generated for the `validation` column.
4. If the score inserted is the same with the one that was originaly sent, than we access a php script that would validate the score according to the validation key, replacing the value in the `validation` colum with a value that represents validation, for example 'validated'.

What do you think about this?

Under that system it would still be quite easy for a malicious user to decompile your program and to build a fake client that behaves the same way as the real client.

It would be harder to crack, that's true, but I don't know if it would be hard enough.

There's no such thing as perfect security. The only thing you can do is make it so difficult for the bad guys to do bad things that they just won't bother.

Is there any way to lock php scripts access to a specific domain, other than verifying the page referer?

1. I send the score through POST, just like before, for example LoadVariables.sendAndLoad('insert_score.php', XML_AS_Object, 'POST').
I think that should be LoadVars.sendAndLoad(...);

Yes, that's correct, sorry for that... of course it's LoadVars.sendAndLoad()

Now, how can we restrict access to this file, so it can be accessed only by other files that resides on the same domain. "By using the HTTP referer" should say some of us. Well, no! The HTTP referer can be faked by tampering the HTTP header data that is sent to the script (POST or GET). Tampering the data allows you to change the value of the variables that are sent through the HTTP header.

I know it's not the most secure, but I'm trying to do something similar with the technique above.

I have a .swf that lives on one domain (www.abc.com), that's executing a loadVariables to a php script on another domain (www.xyz.com).

If I send the request via getURL command in Flash, the php script works just fine in reading the refering domain. But when it is sent via the loadVariables, or sendAndLoad (as an xml object), the php script can never read the HTTP-REFERER variable.

Do you guys know if there is something different I should be doing in my action script? Or am I going down the wrong path with my PHP trying to read the referer as : $myVar = #_SERVER['HTTP-REFERER']

Any advice would be great.

Nevermind. I got it to work.

I believe since I wasn't really sending anything via GET or POST when using the loadVariables method there weren't any headers for PHP to read.

In doing another test. I used the LoadVars object instead of a plain loadVariables method. I also added two dummy vars for the LoadVars to send via sendAndLoad method.

Not sure yet which was the solution: switching over to LoadVars, or adding the dummy vars to the POST or both.