| Register
Saturday, May 17, 2008   
You are here :     Article

Flash (In)Security

Created By  Satori Canton, at  4/7/2005 - 34 comments.

Satori has been an internet consultant since 1994. He is an Adobe Flex Champion, specializing in Rich Internet Applications (RIAs) using Flash, Flex and AIR.

Click to view this author's website.

Important Note: The following article discusses issues of web security for the benefit of Flash application developers looking to make secure Flash applications. Most of the material presented is commonly available on the web and known to both the web security community as well as the web hacking community. Where there is new information, I'm being purposefully vague; alerting the reader to the threat and the remedy without actually releasing the exploit. None of these techniques should be used on any server or Flash application that you do not own or have permission to test security upon. If you get busted doing something you shouldn't have, and end up going to the FPMITA Prison, don't send me the hate mail.


As Flash evolves from being a web toy to an interface for Rich Internet Applications, the security issues with Flash are becoming more important. The very term Flash Security is an oxymoron. Anything running on the client-side is inherently insecure. Furthermore (and often more importantly) anything communicating from the client to a server (especially if that server is connected to a database) is under threat and extremely vulnerable.


Decompiling a SWF


The first thing to be aware of is that ANY code you put in your Flash SWF file is readily available to anyone that has access to it. With a free decompiler like Flare or the more robust commercial product ActionScript Viewer, every line of code in your movie is accessible and readable in seconds.


People debate the virtues of having an ActionScript decompiler all the time. But what I'm talking about here isn't stealing someone else's code snippet and claiming it as your own. What I'm talking about is the information contained in your code (things like data server URLs, passwords, Flash Remoting and Communication Server connection strings, etc.). It doesn't matter if you are using Flash Remoting or any other type of middleware (ASP, PHP, ColdFusion, etc.). If you are passing inputs to the server, there are a wide variety of ways to attack it.


Once a hacker knows where and how you are communicating to your server, Flash becomes almost irrelevant. They can attack your server directly with a simple web browser.


SQL Injection


One of the most nefarious, effective and common attacks is known as SQL Injection. In short, SQL Injection is replacing web page inputs (for example username and password) with SQL code that, when evaluated on the server, will actually execute in the database. This could allow a hacker to do anything from gaining unauthorized login to stealing and deleting your entire database.


In a demonstration about a month ago, I was able to show one of my clients how to have their entire database e-mail itself to me (using nothing but a web browser and typing in the URL string). The hack took seconds and swept their most valuable data out from under them. Their database has since been locked down.


What do you do to prevent this? Treat all input as if it were evil. Validate EVERYTHING on the server before passing it to your database. If a field only requires a number as an input, then don't allow any other characters other than a number. If you require numbers and letters, then only allow numbers and letters. If someone needs to send you an e-mail address, then only allow numbers letters and the symbols @, - and dot (.), AND HTML ENCODE those symbols before sending them to the database.


Also, turn off SQL mail if your server supports it. Never anonymously connect to your database as the system administrator (sa). Set up a specific roll for your Flash application to use that only allows access to the procedures in the database that you need for that application.


Finally, do not allow your database to display errors to the user. Informative errors on a web page help developers track down bugs. But they can also help hackers discover every part of your database. Create a custom error page (even for pages that are only intended to be read by Flash only) and tell your middleware to ignore errors and resume the next line of code.


Cross Site Scripting (XSS)


Another attack, known as XSS or Cross Site Scripting is common in JavaScript but there is a way to use the same technique in Flash. XSS is sending people a corrupted link to a web page. The link itself makes a JavaScript hit to read the data stored in the cookie for that site and then submit that data to the destination page. The best example of this would be to send someone a link to their web-based e-mail account (i.e. Hotmail, Yahoo, GMail). Many times users of web-based e-mail accounts will click the option to have their browser log them in automatically. The browser can do this by storing the username and password in a cookie. In an XSS attack, the hacker could gain access to the data in the cookie and there by have access to your e-mail account. Once they have the e-mail account, they can get into anything attached to that e-mail account. Go to PayPal (or the person's bank if they have e-mail from them in their account). The user name is the e-mail address. Try their e-mail password and you might get in. If not, tell PayPal that you forgot your password and have them e-mail it to you!


Because Flash's client-side shared objects use a security paradigm similar to JavaScript cookies, it is possible (but a little more difficult) to use a similar type of attack in a Flash based RIA to get the data from the shared object. I haven't heard of this actually happening in the wild. But after tinkering a little, I have seen it happen. To accomplish this, the application has to have a way to submit an HTML link into it (again like an e-mail program would). You would have to have some knowledge of the inner workings of the SWF (which is not a problem if you decompile it). From there it's pretty simple to have Flash send you almost any data you wanted.


Conclusion


If you're just building little Flash toys, security may not be much of an issue (if at all). But if you are doing any kind of client-server communications or if you are storing data (any kind of data) on the client or especially in the SWF itself, you'll need to be aware of the threats and dangers involved.


A full discussion of network security is beyond the scope of this article. But if I've wetted your appetite and you want to learn more about web security in general, there are plenty of tutorials on how to prevent both SQL Injection and XSS to be found on the web. Even if you are not a Windows developer, I would also recommend the book "Writing Secure Code, Second Edition" from Microsoft Press. It has volumes of information about network security issues, including many issues that apply to web developers.

Need Professional Help For Your ActionScript Project?
ActionScript.com Consulting Services provide top quality professional ActionScript consulting to businesses around the globe. If you have a professional project in need to world-class talent, tell us about your project by requesting a quote today.

Reader Comments

  1. Jason Nussbaum  Replied:
    ( 4/7/2005 At 2:07 AM)

    While I agree with you in principle, I have to say that your comments don't speak to Flash (with the exception of the decompilation issue), but to web development in general. SQL Injection is not specific to Flash. Yes, most starter Flash Developers/Designers who are just getting into server communication don't know about it, but Flash is no more susceptible to SQL Injection than a good ol' html form.
    I posted a link to a similar article (dealing specifically with SQL Injection) on my blog a few months ago.
    So kudos to you for continuing the efforts to get this information out in the Flash community.

  2. Satori Canton  Replied:
    ( 4/7/2005 At 8:14 AM)

    Jason, you're right that web security goes far beyond Flash, and that is the point of my article. But often people put things like passwords, connection strings, or server locations within their SWF files. So my point is that you shouldn't store that kind of information in the SWF. Plus, a few other obscure exploits that could occur if you're not being security minded when making Flash applications.
    As people start using Flash as a data view, they often make their entire database vulnerable. Other people just don't realize the vulnerability they have or the threat that exists when they make their applications.
    I'll probably continue this topic with some smaller issues like obfuscating code and issues that relate to AS 2.0. But I wanted to get the discussion going with this article on the big issues and see what others had to say about it.
    Thanks for the feedback and the kudos. We'll keep continuing the effort to help people make secure RIAs.

  3. Warren  Replied:
    ( 4/10/2005 At 11:20 AM)

    Um, someone can decomplie your doed even if the swf file is locked?
    Warren

  4. Satori  Replied:
    ( 4/10/2005 At 8:37 PM)

    You can get the code out of ANY SWF file, even if it is "locked."

  5. Warren  Replied:
    ( 4/10/2005 At 11:12 PM)

    Hmm, I did not know that. So, if you use flash for password authentification, it is not safe? But at the same time, if you go to my website, click client log-in, it is javabase, you can not guess the password, nor is there a trail to follow.
    Can you make a flash passowrd box java-enabled and then plug that security once and for all?
    Warren

  6. Satori  Replied:
    ( 4/11/2005 At 8:03 AM)

    NEVER use Flash or any other kind of client-side script for password authentication. Anything that sends passwords or open connection strings to the client makes your server voulnerable.
    Anything on the server that accepts client-side inputs should be treated as "evil" until proven otherwise. But using client-side authentication could definitely lead to serious trouble.

  7. mxskout  Replied:
    ( 4/11/2005 At 4:42 PM)

    "I’ll probably continue this topic with some smaller issues like obfuscating code and issues that relate to AS 2.0."
    I would be pleased about it. ,-)

  8. Warren  Replied:
    ( 4/12/2005 At 12:47 AM)

    Hmm,
    Well, I have PHP, but i'm just learning that, but I have a friend who does all the programming for me as I learn how to edit his coding.
    Satori, thanks for all the info and the heads up.
    Warren

  9. Etrain  Replied:
    ( 4/14/2005 At 7:59 AM)

    Satori,
    Nice article. I agree with many of your ideas and much of it is true. However, security is a scary issue and it feels as if you've pulled some "fire alarm" that Flash is more insecure then this or that.
    Flash is a powerful client and with that power developers need to be careful when weilding such power.
    I'm just saying that the title and tone of the article is very sensational.

  10. Victor  Replied:
    ( 4/15/2005 At 3:39 PM)

    besides exploits and security holes that are common general web-app headaches, i would like to know if flash supports security and encription protocols and formats like ssl.

  11. Adrian Ludwig  Replied:
    ( 4/15/2005 At 8:06 PM)

    Satori,
    Thanks for writing this article -- I truly appreciate anything that helps raise awareness of security among developers. The brevity of the article made it difficult to include some of the details, so it might be helpful to point readers to some additional information.
    For specifics about the Flash security model, this whitepaper provides some more detailed information (sorry about the picture):
    http://www.macromedia.com/devnet/flashplayer/articles/client_security.html
    SQL injection is certainly a problem for web apps, but it isn't really related to the client technology, so to talk about this as though it were specific to Flash is a bit of a red herring. Regardless of the client-side technology, the server code needs to validate input for SQL injection.
    XSS, on the other hand, is definitely a client-side issue. As you mentioned, Flash is better protected than most web technologies, but people should still know exactly where the problem might occur. Here's a technote that describes the issue in more detail:
    http://www.macromedia.com/cfusion/knowledgebase/index.cfm?id=tn_19604
    I hope that helps,
    Thanks,
    Adrian Ludwig
    Macromedia Product Security Team

  12. abi  Replied:
    ( 4/16/2005 At 2:16 PM)

    alite

  13. Oliver  Replied:
    ( 4/17/2005 At 10:21 PM)

    A very helpful analysis of Flash's security. Thanks!

  14. Zozo  Replied:
    ( 4/19/2005 At 7:09 PM)

    I'm sorry guys but the only thing about Flash and security I've read here is decompilation issue. The rest of the issues are common problems for any web application. So if I'm not wrong (and I'm not) the same problems can be raised during discussing Java or .NET for example (we can also decompile classes and assemblies so these technologies are insecure too!). I don't want to be to categorical but I'm sure that adding word "security" to the title of the article is just an attempt to invite invention to it and not analysis of Flash's security or something else.

  15. Ashot Petrosian  Replied:
    ( 4/23/2005 At 3:48 AM)

    I agree with the posters above: All of what is written above applies to any client side technology (ie don't store password in your javascript code). Flash is a rendering engine, and it makes 0 difference to the server wether your app is rendered in Flash or HTML. As such, there are no security issues which are Flash-specific.
    Security holes are in the middleware which is interacting with the server. Since Flash can't interact with the server directly the security risks that need to be addressed are in whatever script or language or technique is being called by the Flash app.

  16. Mr.Underhill  Replied:
    ( 5/12/2005 At 2:30 PM)

    Satori, please advise me, I have the following situation:
    I have a Rent a Car website, and one of my affiliates wants to implement an integrated interface against my reservations engine using Flash. They basically are planning to create an flash interface that is directly calling services on my website. As you pointed out, direct communications between client and server is evil, specially because the user token that they are going to need to run my service is stored on the flash.
    What options do I have then, I still want to secure incomming requests to my services with a usertoken, but at the same time let them create their flash interface.
    What would be the way to do it securely?
    Thanks in advance
    PS: Great article

  17. Mr. Swa  Replied:
    ( 5/30/2005 At 4:34 PM)

    Mr. Underhill: The article is particularly about giving the client an edge because Flash is a client side application. However, you can still have Flash be just as safe as any other type of served page in the browser, just be aware that any variables stored directly in Flash can be scene if decompiled.
    If you use Flash to call methods on your server, and authenticate the call to those methods (can be done using server-side scripts and Flash Remoting) then it is exactly the same as any other served page off of your server and is very secure.
    Most Developers check URI strings anyways so this isn't a foreign implementation. Different medium (Flash) same techniques (URI string authentications).

  18. Amayeta Webmaster  Replied:
    ( 6/2/2005 At 4:45 PM)

    Hi,
    Please excuse the "shameless promotion" but I just wanted to point out our SWF Encryption Software - SWF Encrypt 3.0
    It uses Encryption and Advanced Obfuscation techniques to encrypt your SWF ActionScript code and prevent decompilers from viewing the code. Please feel free to download a trial copy from http://www.amayeta.com and check it out for yourself.
    Thank you for reading.

  19. anonymous  Replied:
    ( 6/9/2005 At 10:28 PM)

    SWF Encypt 3.0 doesn't encrypt anything!
    All it does is put a weak wrapper over your code to prevent decompiling. This will, sooner or later, be discovered and implemented by decompilers. And still, advanced SWF crackers can read the binary format. Again, even though the name is SWF Encrypt, there is nothing about encryption in it!
    It took me less than 15 minutes to find out how it works, and it does that by hiding your code from decompilers.
    The method used can be automatically removed, and might cause errors while playing your SWF file in future FlashPlayers.

  20. Amayeta Webmaster  Replied:
    ( 6/15/2005 At 12:56 AM)

    Hi "anonymous",
    If this is the case, please feel free to contact me directly and help us make our software better. We've been working on SWF Encrypt for over 18 months now (hence it is in version 3.0 of its life) and during that time, as with any encryption of any file type, updates are necessary to mantain security.
    If you read our website, we ourselves admit that it is impossible to secure a SWF 100% due to its open nature. BUT with SWF Encrypt 3.0 you CAN make it harder for would-be ActionScript thieves who love nothing more than to pull SWFs apart.
    Totally committed and professional hackers can break into Windows, never mind the SWF format!
    If you have circumvented our security, please email me directly and help us improove the software. Thanks.

  21. lilliput  Replied:
    ( 6/20/2005 At 6:25 PM)

    Hello Amayeta Webmaster,
    The "trick" to software like yours (for the benefit of other readers who may not know) is called Security By Obscurity. The basic crypto is really simple and I think you waste your effort in it.
    To encrypt something you need a cypher mechanism. IE: you encrypt the data and someone else has an algorithm to decrypt it. The second way would be with public and private keys. The Flash plugin does NOT have any mechanism to be able to decrypt any cypher code.
    If you include the "algo" inside the applet, what's the point? A text/hex editor and half hour later your code would be decrypted!
    This is a similar train of thought to people who think displaying pictures in a Flash or Java applet will stop people from downloading them. Security by obscurity doesn't work for a couple of reasons:
    - the cache
    - sniffer software
    The only thing that you could do would be to sign your own Flash Player applet. But there what's the use of having a SWF if it needs a special plugin?
    From a web development point of view, I can say that most people using *advanced* functions of Flash are more or less aware of this issue but can not really tell when their code could be exploited.
    Hope this helps,
    lilliput

  22. thombba  Replied:
    ( 7/18/2005 At 2:33 PM)

    hi!
    is it safe to serve the swf via ssl?
    or can the file also get decrypted by decomplier-apps?
    regards.thombba

  23. Satori Canton  Replied:
    ( 7/18/2005 At 5:38 PM)

    Even over ssl, a swf has to be downloaded to the client to be viewed, so it can still be decompiled.

  24. Roget  Replied:
    ( 8/10/2005 At 1:31 PM)

    Flash security or any other platform is somewhat scary. And please guys, any info is good for us and we dont need to take it as a personal attack on flash!! My view, is to just catch those attackers, and set a world rule to finish them as if they were real "criminals" and the only solutions for them is life in slavery. Might be strong mesures, but when people know that their life will end up this way will think twice in playing with fire.
    After all we pay high costs for this on our daily life, might be good for skilled programmers, who can secure their client's applications and get paid well for their skills! but don't forget that we also pay for it too!! Still, security will always be an issue, what a man can do, another man can crack...
    Solution? my view above!

  25. JLM  Replied:
    ( 8/15/2005 At 9:19 PM)

    1) third party apps maybe worth looking at ie swishmax can not always be decompiled by flare, but it is quite good at decompiling graphics and text. Lots of dynamic loading in swf's will make decompiling that much harder.
    2) Don't use a text field in your swf for password, use another secretly named swf with a secret graphically based password for better securty encoding information in visual structures rather than text.
    just some ideas

  26. lilliput  Replied:
    ( 8/15/2005 At 10:18 PM)

    About the graphical password: a research paper to explain the different advantage & disadvantage : [PDF} http://cups.cs.cmu.edu/soups/2005/2005proceedings/p1-wiedenbeck.pdf

  27. Satori Canton  Replied:
    ( 8/16/2005 At 5:52 AM)

    lilliput,
    I hadn't thought about password protection in this context before, but with pixel level access to bitmaps in Flash 8, it's possible to use steganography techniques to obscure a password into a graphic file, and read it from flash. If you obscured what you were doing within the SWF, this could be a very effective security tool. We'll have to play with this when Studio 8 is released.

  28. lilliput  Replied:
    ( 8/18/2005 At 5:40 PM)

    This is not about steganography.
    for a short explanation:
    Most of the identification are done by a couple user and password, in certain case it's even more recommended to have a passphrase (easier to remember and more complex for a brute force attack)
    For a real secure connection if it has to be through a Flash application (I still recommend normal html form for the accessibility (blind people) and for those who don't have a flash player - linux 64bit plateform...
    So like we suggest in this Thread the password should not be saved in the Flash side.
    At least an encryption could be set between the server and the Flash application through a server public key - see RSA algorithm -
    Because of the graphic interface and some nice functionnality of actionscript inserting a picture and be able to localise an area of pixel is possible ( an area of 10x10 ) So this data would be considered as a password. The different advantage and disadvantage of such identification are explained in the pdf link that I give previously.
    This method could also be programmed with AJAX application (same system than google map than can detect the localisation of your click. - I even guess that with the google API, it's possible to set your last holidays trip as password)
    Sub question:
    if a flash are host on
    http://tarata.domain1.com/flash.swf
    and are display with a frame or directly in the html page http://turutu.domain2.com/mywebpage.html will flash.swf access the cookies from turutu.domain2.com ?

  29. steve  Replied:
    ( 8/24/2005 At 4:18 PM)

    Thank you for all the info, I'm new to security and flash. I'm just trying to stop people from printing my pictures from my swf files. My app is done in flash with xml. Is there a way to stop people from right clicking and printing and file and print and icon print.
    thank you in advance

  30. lilliput  Replied:
    ( 8/25/2005 At 6:13 PM)

    what you're asking is not possible. Pictures could be assimilate to audio. If you can listen a music then you still have a way to register what you heard ( plug a recorder on your soundcard output)
    The different -fake- protection in a code would be to put javascript to avoid right click - but desactivate javascript is really easy.
    Through Flash, you need to download the pictures then it will be saved as a temporary file somewhere and could or the real URL could be sniffed. In case of *streaming* meaning you develop your own way to download the file, a sniffer will still be able to reconstruct your file.
    In any case a simple 'Print Screen' and copy as a new file will do the trick.
    The best things to do is to put a copyright reserved, or not putting the file online;
    Google Map use the equivalent of GD function to put "Google" on every picture with a transparent layer.
    If you want to control that a file is coming from your website you can use md5 (search for md5sum), there is a method where you could replace the default preview of a file (don't have any name for that) and the third one is to put a hidden information in the file.
    In any case be sure that if you put file on internet they could be copy because that the nature of internet - distributing information.

  31. steven  Replied:
    ( 8/26/2005 At 5:19 AM)

    lilliput thank you for the reply.
    I will try the copyright on the image.
    I was just trying to charge $1 for the large print of the photo if the custome wanted. So this is why I was trying to block access to print the print on their now.
    thank you for the help
    one more question this one if for work I have limited knowledge on database connection. what i'm trying to do is connect a uploaded pictures of a customers package that has been lost and connecting it to a existent trference number that has been log in to another database. I dont want to connect the two database what I want to do is after you take the picture load it to the computer and with a flash / dreamweaver interface upload the image to a server and name it with the reference number (2005-0825-0234) then on the same page of the interface have a search box that will let me search by reference number and after it is found it brings up the picture.
    any help will be great on whay this of software or what would make it easier for me to creat this with thank you.

  32. dex002  Replied:
    ( 8/29/2005 At 4:12 AM)

    All very interesting. thanks Santo. Isn't it true, though, that if you only store your credentials in Flash as variables, that they cannot be retrieved? Provided you have locked down the server-side which provides Flash with the credentials in the first place.
    If you have a login page built in Flash which sends the username and password to the server over SSL, the server checks the credentials and send a message (true or false) back to Flash. If true, Flash records the username and password entered as _globals which can be used throughout the app. If Coldfusion is the middleware in this scenario, it handles the session and kills the credentials in memory when the browser is closed.
    I'm new to all this, so please let me know if there is a hole in my model.
    Cheers, and thanks again for a great blog!

  33. Satori  Replied:
    ( 8/29/2005 At 4:34 AM)

    dex002,
    The security hole in this case wouldn't be Flash, but it would be how you handle user inputs in ColdFusion.
    My point in the article is only to say how Flash code can be deconstructed, and therefore expose security risks where many users think they are covered.
    Properly employed, your middle-ware shouldn't trust client-side inputs and should have a way of validating client inputs (of any sort) and scrubbing malicious code.
    Satori

  34. ethical hacker  Replied:
    ( 9/21/2006 At 4:07 AM)

    ive heard there is a way of breking swf encrypt 3.0 encryptions
    is there a way

Login to post your comments. If you do not have an account with us please Register.
Copyright 2005 by ActionScript, Inc.   |  Privacy Statement  |  Terms Of Use  |  ActionScript Client Extranet