Results 1 to 4 of 4

Thread: Allow only swf to access php script

  1. #1

    Allow only swf to access php script

    Hello all,

    I have a SWF which loads a php script. The php script then passes data back as XML to the SWF. The problem here, however is that if someone decompiles my SWF, he can get the URLs to the php scripts. This results in him being able to run the script and get the XML output.

    Now, I have worked out a couple of solutions to this problem:

    1. Mark flash pass an extra variable to the script to determine that the call is from flash. Problem: by decompiling and looking through the code in the swf, the user can find out the extra parameter and pass it to the script.

    2. Use the referer variable and determine if the referer is the SWF. Problem: There might be users with security software that blocks the referer, thus the script will not work on their system.

    3. Use sessions and check if a session exists when executing the script. Problem: Not entirely sure about this, but if a user decompiles the SWF, then he can find the url to the script that sets the session. He then sets a session before executing the script which passes the XML data back.

    Any better solutions or input appreciated

  2. #2
    Well you don't really have to decompile a movie to find out what kind of resources it's accessing. Anyone can just download the Live HTTP headers firefox plugin from https://addons.mozilla.org/en-US/firefox/addon/3829 , which gives you all the URLs the browser (and any movies inside it) are accessing. I use all the time to debug my apps.

    Right now the only solution seems to be the referer one but are you sure the referer is different from the one you get when you access the php script directly? Either way... I think it can be spoofed easily and is not a sufficient security measure.

    But why would you want to prevent people from seeing the output of your php script in the first place?
    Outputted xml should never contain any unencrypted secret information and I can't see why you'd need something like that in the first place

    Member #1 of the "Don't message me your flash questions" cult

  3. #3
    hi andr.in,

    Yes the output xml does not contain any secret information, it just passes data to the flash app as it is more strutured than trying to pass variables in the from &var1=blah&var2=blah.

    I dont mind people seeing the XML, but i'd rather not display the ouput when people call the script directly. If a person calls the script directly, the referer should be blank, although i have heard reports of security software blocking referer data which will make legit requests from the SWF not work.

  4. #4
    Yea you can't depend on referer.

    The only way I can think of is to build a very complex system on encrypted keys that only work once. (Which would still have to be passed back and forth between flash and he php script, thus several layers of encryptions are needed. But even that could be cracked by decompiling the swf, it would just make it awfully difficult)

    I can't think of any simple foolproof method of achieving this.

    But all in all I think that even if not displaying the xml data to users would serve some kind of security purpose it requires way too much effort to achieve.
    I can't imagine why one would be even interested in calling your php script directly, other than for hacking purposes, but if the xml doesn't contain any valuable information then seeing the xml structure won't tell the hacker probably anything.
    Every site is likely to contain other more serious security holes than that.

    If you ask me, what you're trying to achieve is wasted effort and you should rather be spending your time finding and patching up other possible security holes.

    Member #1 of the "Don't message me your flash questions" cult

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Home About kirupa.com Meet the Moderators Advertise

 Link to Us

 Credits

Copyright 1999 - 2012