-
1. Re: security problem in AS3, HTTP requests and posts...
FeZEC Nov 13, 2010 7:25 AM (in response to polatkanfatih)Your question was a bit unclear. I was able to understand that you can view your HTTP requests with 3rd party plugins, probably like Firebug, or Charles Web Proxy etc,.. but yet i assume flash is preventing something from occuring.
If this is correct, there are things as you stated called Security Violations. These come into play when you are loading anything from a site that is not where the swf, is hosted.
Mainly the use of information that is not viewed to be YOURS will throw a violation and sometimes will quietly fail. Flash tracer or FlashBug (like firebug) will generally trace a sandbox violation error.
The way to allow this is first by placing a CrossDomain.xml on the site which you are looking to load data from. IF this is not a possibility then you need to develp what is known as a proxy page. This is through server side code. Client SIde will rarely to never run into any sandbox violations because they are talking directly to a server.
Anyhow such things throw sandbox violations. BitmapData manipulation of images from another site. ExternalInterface.call to the js on your own html page . (to prevent that you need allowSciptAccess=true) sound analysis from a site that is not yours. LoadingXML or TXT from a site that is not yours. Loading a swf into your swf that came from another swf. Trying to access data in a swf that did not come from your domain. (prevent by using allowAccess('yourdomain') in the swf you are trying to access) i believe these are all the issues.
-iBen
-
2. Re: security problem in AS3, HTTP requests and posts...
polatkanfatih Nov 13, 2010 7:43 AM (in response to FeZEC)i mean that to be able to see http requests and posts leads hacking. hackers can post data easily or make it using some programs etc.
my anxiety is about hacking, not security exceptions or crossdomain.
-
3. Re: security problem in AS3, HTTP requests and posts...
Andrei1 Nov 13, 2010 7:50 AM (in response to polatkanfatih)It is not Flash only. Any browser based Internet traffic can be seeing by anyone. You need to implement server side scripts that prevent unwanted requests to be processed.
-
4. Re: security problem in AS3, HTTP requests and posts...
FeZEC Nov 13, 2010 8:43 AM (in response to Andrei1)Andrei1 is correct.
This will always be an issue which is why its good to make this script server side. or encrypt the informtion. Sned your information through a post rather than a get.
Event Banks get hacked. so dont think this is something that can be STOPPED. only slown down.
-
5. Re: security problem in AS3, HTTP requests and posts...
polatkanfatih Nov 13, 2010 9:49 AM (in response to FeZEC)i already make post not get but in spite of this, post actions can be seen with all detail....
-
6. Re: security problem in AS3, HTTP requests and posts...
FeZEC Nov 13, 2010 9:52 AM (in response to polatkanfatih)correct..
That is why the next step is encoding. using md5 hashes to encode your bytes.. then on server side you decode it.
what are you sending back and fourth?
-
7. Re: security problem in AS3, HTTP requests and posts...
polatkanfatih Nov 13, 2010 9:55 AM (in response to FeZEC)i am dealing with game scores... saving and getting....
but, how this security can be done in server side?
because, it is said that, people use some 3rd party programs, reach data in RAM during game or app, manipulate them and bingo...
-
8. Re: security problem in AS3, HTTP requests and posts...
FeZEC Nov 13, 2010 10:00 AM (in response to polatkanfatih)of course.. but this is something they can always do.
listen your game will be published in a swf, and if i truly care to change your scores,.. i will save your swf to my desktop.. decompile it to see your code., and then know everythign i need to make my changes.
if you are that afraid of security then I highly recomend you hire someone who is a .net develper or PHP developer to help you with the data being sent.
if you encode the data before you send it.. then the user is less likely to know what you are sending.. and then by the time it hits the server, i wont have known anything..
lets say a=2 b=3 c=4 d=5
and i want to spell out bad i could send over 3,2,5 and how would you know what that meant? just you need a server page that knows how to turn 3,2,5 back into bad when being saved.
-
9. Re: security problem in AS3, HTTP requests and posts...
polatkanfatih Nov 13, 2010 10:03 AM (in response to FeZEC)i will try your suggestions... thanks for your interest...
-
10. Re: security problem in AS3, HTTP requests and posts...
Andrei1 Nov 13, 2010 11:27 AM (in response to polatkanfatih)In addition to what FeZEC said, there is no way you can protect your requests unless you use secure server - but this is something that you have to pay for (security certificate) unless your host is generous enough to provide this for free.
-
11. Re: security problem in AS3, HTTP requests and posts...
birnerseff Nov 13, 2010 2:00 PM (in response to Andrei1)commenting the last statement: secure servers are a good thing when it comes to stop intruders from reading your traffic (say you dont want card numbers to be seen by third parties). They may be not so good when it comes to intercepting your own traffic
I had an interesting solution to the decompiler problem, but it was built for AS1/2 code: the swf loaded from the server contained some variable algorithm that was "developed" and compiled by the server on the fly. So someone going the decompile route would probably find a different encoding algo in use than the one they just decompiled. This certainly makes it harder for the average decompiler user.
However, if it is possible to load the game swf into some loader and interact with its code, there might be no need to understand data transmission.
The same holds here as for secure servers: with the right tools you can run somebody else's swf from their server but inside a swf of yours - and flash would believe same origin
-
12. Re: security problem in AS3, HTTP requests and posts...
Andrei1 Nov 13, 2010 2:43 PM (in response to birnerseff)When one intercepts secure encrypted communication, how will he be able to decode values without key?
-
13. Re: security problem in AS3, HTTP requests and posts...
birnerseff Nov 13, 2010 11:33 PM (in response to Andrei1)Hi,
I understood "secure server" as the usual https stuff. There are tools to go in between the client and the server, and grab the traffic. Of course the tool will present a somewhat mediocre certificate for the site you are talking to. If you want to record your own traffic, then it should be okay to click half a dozen prompts and go ahead



