Home Tutorials Forums Articles Blogs Movies Library Employment Press
Old 02-24-2007, 12:37 PM   #1
maxdamage
Registered User
 
Join Date: Feb 2007
Posts: 4
Default security in flash web applications

Hello everybody!

I want to discuss in this topic about: "How to build a secure flash application on web". I've been touched recently by this issue and I think that we should have a little talk about it.

I'm talking here about the flash applications that use php server-side scripts and mySQL databases.

We all know that SWF files are open format, so anybody can decompile them and see the AS code. Seeing the AS code leads immediately to knowing the directory structure of the php scripts that reside on the web server. So, if I have an php script that is accessed by using the sendAndLoad() method of the LoadVariable class, then anybody who decompiles the swf file, will know the precise location of the php script on the web server. A person who can access this php script, can also insert data in your database, by sending variables from a form, located on a different web server.

Now, how can we restrict access to this file, so it can be accessed only by other files that resides on the same domain. "By using the HTTP referer" should say some of us. Well, no! The HTTP referer can be faked by tampering the HTTP header data that is sent to the script (POST or GET). Tampering the data allows you to change the value of the variables that are sent through the HTTP header.

I've created a flash game and there were a few users that tampered the HTTP headers sent by the game, so their final score was way over the best players of the game. This was not a nice sensation at all, especially because the game had some prizes. So now I've decided to look for help here.

Thanks to those who will participate!
maxdamage is offline   Reply With Quote
Old 02-24-2007, 04:00 PM   #2
jsebrech
Joeri Sebrechts
 
Join Date: Apr 2005
Location: Antwerp, Belgium
Posts: 1,465
Default

There's no way to make it tamperproof, since it runs on the client.

However, you can make it very, very hard to tamper. I would suggest opening an xml socket, and sending the game actions to the server as the user is playing the game. This way you can then calculate the score from the game history, instead of having the user submit just any score.

Forging an entire game history is a lot more difficult than forging a header and a highscore.

There are other things you can try in addition to this. For example, you can generate your swf server-side, and include session-specific information inside the swf. Each request from the client would have to send this session-specific information for authentication. A user would need to decompile the swf, extract the session info, submit a fraudulent game history using this info, and do all this before the session expires. The odds of that are extremely unlikely.

You can also try any of the many swf obfuscation tools. But from what I've read none of these actually work.
jsebrech is offline   Reply With Quote
Old 02-25-2007, 11:35 AM   #3
maxdamage
Registered User
 
Join Date: Feb 2007
Posts: 4
Default

Hmmm, I was thinking to something much easier. Tell me what do you think about the next method.

1. I send the score through POST, just like before, for example LoadVariables.sendAndLoad('insert_score.php', XML_AS_Object, 'POST').
2. The score is inserted in the scores table and in a separate column of this table we put the value of md5(score . $somekeycode . $currentTime). Let's name the column something like `validation`.
3. In the XML that is returned to AS, that, I guess, it can't be tampered, we send back the score that was actualy inserted and the value that was generated for the `validation` column.
4. If the score inserted is the same with the one that was originaly sent, than we access a php script that would validate the score according to the validation key, replacing the value in the `validation` colum with a value that represents validation, for example 'validated'.

What do you think about this?
maxdamage is offline   Reply With Quote
Old 02-26-2007, 06:33 AM   #4
jsebrech
Joeri Sebrechts
 
Join Date: Apr 2005
Location: Antwerp, Belgium
Posts: 1,465
Default

Under that system it would still be quite easy for a malicious user to decompile your program and to build a fake client that behaves the same way as the real client.

It would be harder to crack, that's true, but I don't know if it would be hard enough.

There's no such thing as perfect security. The only thing you can do is make it so difficult for the bad guys to do bad things that they just won't bother.
jsebrech is offline   Reply With Quote
Old 02-28-2007, 04:03 PM   #5
maxdamage
Registered User
 
Join Date: Feb 2007
Posts: 4
Default

Is there any way to lock php scripts access to a specific domain, other than verifying the page referer?
maxdamage is offline   Reply With Quote
Old 02-28-2007, 05:11 PM   #6
burzaone
Registered User
 
Join Date: Feb 2007
Location: Poland
Posts: 35
Default

Quote:
Originally Posted by maxdamage View Post
1. I send the score through POST, just like before, for example LoadVariables.sendAndLoad('insert_score.php', XML_AS_Object, 'POST').
I think that should be LoadVars.sendAndLoad(...);
burzaone is offline   Reply With Quote
Old 02-28-2007, 08:35 PM   #7
maxdamage
Registered User
 
Join Date: Feb 2007
Posts: 4
Default

Yes, that's correct, sorry for that... of course it's LoadVars.sendAndLoad()
maxdamage is offline   Reply With Quote
Old 03-13-2007, 01:15 PM   #8
Vector9
Registered User
 
Join Date: Mar 2007
Posts: 8
Default

Quote:
Now, how can we restrict access to this file, so it can be accessed only by other files that resides on the same domain. "By using the HTTP referer" should say some of us. Well, no! The HTTP referer can be faked by tampering the HTTP header data that is sent to the script (POST or GET). Tampering the data allows you to change the value of the variables that are sent through the HTTP header.
I know it's not the most secure, but I'm trying to do something similar with the technique above.

I have a .swf that lives on one domain (www.abc.com), that's executing a loadVariables to a php script on another domain (www.xyz.com).

If I send the request via getURL command in Flash, the php script works just fine in reading the refering domain. But when it is sent via the loadVariables, or sendAndLoad (as an xml object), the php script can never read the HTTP-REFERER variable.

Do you guys know if there is something different I should be doing in my action script? Or am I going down the wrong path with my PHP trying to read the referer as :
Code:
$myVar = #_SERVER['HTTP-REFERER']
Any advice would be great.
Vector9 is offline   Reply With Quote
Old 03-13-2007, 02:03 PM   #9
Vector9
Registered User
 
Join Date: Mar 2007
Posts: 8
Default

Nevermind. I got it to work.

I believe since I wasn't really sending anything via GET or POST when using the loadVariables method there weren't any headers for PHP to read.

In doing another test. I used the LoadVars object instead of a plain loadVariables method. I also added two dummy vars for the LoadVars to send via sendAndLoad method.

Not sure yet which was the solution: switching over to LoadVars, or adding the dummy vars to the POST or both.
Vector9 is offline   Reply With Quote
Reply


Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
[ANN] FlashPlayerControl - embed Flash in your applications Softanics Projectors and CDs 0 09-06-2005 08:54 PM
Automated UI Testing of Flash Applications testmann Other Flash General Questions 1 07-26-2005 09:00 AM
Flash Encrypt 1.2 Released. SIntrix General Chat 14 04-21-2005 09:02 PM
Php, Javascript, and Flash 5 browser detect and more! Redline01 Server-Side Scripting 2 08-11-2001 01:09 AM


All times are GMT. The time now is 06:35 AM.

///
Follow actionscriptorg on Twitter

 


Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Ad Management plugin by RedTyger
Copyright 2000-2013 ActionScript.org. All Rights Reserved.
Your use of this site is subject to our Privacy Policy and Terms of Use.