GraphicRage
01-03-2008, 05:20 PM
So, my company is on a security kick this week, and there was an article alerting to recent attacks on a lot of secure sites in a UK magazine.
Anyhow, the article mentions the use of SWF Intruder to narrow down security issues. The main topic of the article seems to be aimed at Adobe Connect skins more than anything.
I've just run through one of our Flash pieces, and I got a lot of errors coming back but I'm wondering if they are worth considering.
Basically, I pass my XML file location/file name in through a flashvars, as well as a directory location for external images. Those variables are defined direct in the FlashObject embed, not in the URL string. The content of the XML file is read into an HTML textbox.
Since swfIntruder can only examine the actual SWF, not the Object embed, etc. I'm wondering if these are really issues. They obviously come back as undefined because it can not examine the HTML that gives the location of the XML and it injects a value into the Flash file.
Obviously a Phishing attack could simply embed our SWF on their page for unsuspecting users, but I simply won't be able to put the direct location of the URL of the XML file into the SWF due to the security settings in our server structure. (you never know which you'll end up on when rendering the page, in other words) It doesn't make a SWF any more vulnerable than a regular HTML/Image page in my view. But as we know, the topic of the day is to find any way for developers embedded in C++ mindset to advocate not using Flash at all.
It would also present an issue for toggling out language XML files, which IS in fact handled in a URL string by using a pull down javascript menu to toss the variable into the Flash object.
Anyone have some insight?
Anyhow, the article mentions the use of SWF Intruder to narrow down security issues. The main topic of the article seems to be aimed at Adobe Connect skins more than anything.
I've just run through one of our Flash pieces, and I got a lot of errors coming back but I'm wondering if they are worth considering.
Basically, I pass my XML file location/file name in through a flashvars, as well as a directory location for external images. Those variables are defined direct in the FlashObject embed, not in the URL string. The content of the XML file is read into an HTML textbox.
Since swfIntruder can only examine the actual SWF, not the Object embed, etc. I'm wondering if these are really issues. They obviously come back as undefined because it can not examine the HTML that gives the location of the XML and it injects a value into the Flash file.
Obviously a Phishing attack could simply embed our SWF on their page for unsuspecting users, but I simply won't be able to put the direct location of the URL of the XML file into the SWF due to the security settings in our server structure. (you never know which you'll end up on when rendering the page, in other words) It doesn't make a SWF any more vulnerable than a regular HTML/Image page in my view. But as we know, the topic of the day is to find any way for developers embedded in C++ mindset to advocate not using Flash at all.
It would also present an issue for toggling out language XML files, which IS in fact handled in a URL string by using a pull down javascript menu to toss the variable into the Flash object.
Anyone have some insight?