RE: Flash sites

["Mathew C. Beckman" <Security () mnbn net>]

Also remember that just because something is stored in a Flash file, doesn't
mean it's safe.

It is very easy to download, and decompile a Flash file to it's
near-original form.  From here, you can view calls it's making, files it
loads, and any text stored in it.

Take for example a site that has a password to enter, and the site is done
in Flash.  If that password is stored inside the Flash code, then it is not
secure.  Flash itself is interpreted and run from the end-users machine, not
on the server.  If you want it to be doing any processing, or offer any type
of security services, you need to go ahead and have it call up scripts on
the server-side.  Flash itself does not open any security holes, nor does it
explicitly prevent any.  Much of it depends on the type of application
you're creating.

If you're creating a dynamic, data-driven application, the main point of
security you need to look at is where and how the information is getting to
the application.  Of course, as Nick said, this is all a moot point if the
server it's sitting on is not secure.

- Matthew C. Beckman


-----Original Message-----
From: Nick Duda [mailto:nduda () VistaPrint com]
Sent: Wednesday, September 03, 2003 12:05 PM
To: John Madden; webappsec () securityfocus com
Subject: RE: Flash sites


Depends, if you mean web content itself then its pretty damn good. However
you still have to worry about the webserver it sits on. The webserver itself
can be hacked and then those flash files can be deleted , other files
uploaded....and so on.

-Nick