Re: [osflash] Xray Debugger - Possible security issues?

Thu, 05 Jan 2006 10:58:27 -0800

well, the Flash client has to load something from the server to let it know the "secure information" - wether that be IP, username/password or what have you.  IE - xray would have to make a call to an external PHP page to get back that unique information.  The PHP page would have to be provided through the Xray interface (not baked into the component) and passed to the component to make the call.

Does that make sense?

Since swf's can be viewed in tools like ASV, any PHP url you list would be viewable - hence why providing it through the Xray interface at your workstation is necessary.

On 1/5/06, Benjamin Jackson <[EMAIL PROTECTED]> wrote:
what if we restricted the connection somehow and tied it to an ip?
don't know if that's technically possible but it seems like it would
solve the problem.

On Dec 27, 2005, at 2:58 AM, John Grden wrote:

> yeah, that's been a thought and discussion for a while now.
>
> the problem is, how do you lock it down?
>
> You can't put a password on the connector nor can you specifiy the
> local connection names - hacking an SWF is yesterday's news, so your
> proprietary information is not secure by any means. All a person does
> is hack your SWF, then they've got all the information they need.
>
> So, it comes down to: How does Xray load external data? Do we put
> the ability to type in a server side script URL, that the connector
> loads? Then, how do you keep someone from cracking your SWF, and
> calling the PHP page directly?
>
> The only thing that comes to mind is using the Xray interface to pass
> along the Server Side Script URL THROUGH the connector - Xray tells
> the connector what URL to call, it calls the page, and now, has the
> necessary data to do validation with the interface
> (Username/Password). Does that make sense?
>
> XrayInterface(url) -> connector -> url -> connector ->
> XrayInterface.validation
>
> Thoughts?
>
> On 12/26/05, Benjamin Jackson < [EMAIL PROTECTED]> wrote:I was
> wondering about the potential for security breaches is with
>> leaving the Xray debugger active on live sites. On the one hand, it's
>> important to be able to debug the live site if something goes wrong
>> after deployment. On the other hand, it doesn't seem too smart to
>> allow
>>  anyone with the debugger execute arbitrary Actionscript on my swf.
>>
>> Any opinions?
>> ___________________
>> Ben Jackson
>> Diretor de Desenvolvimento
>>
>> [EMAIL PROTECTED]
>> http://www.incomumdesign.com
>>
>>
>> _______________________________________________
>> osflash mailing list
>> [email protected]
>> http://osflash.org/mailman/listinfo/osflash_osflash.org
>
>
>
> --
> John Grden - Blitz_______________________________________________
> osflash mailing list
> [email protected]
> http://osflash.org/mailman/listinfo/osflash_osflash.org
>
___________________
Ben Jackson
Diretor de Desenvolvimento

+55 (21) 2256-1022
[EMAIL PROTECTED]
http://www.incomumdesign.com


_______________________________________________
osflash mailing list
[email protected]
http://osflash.org/mailman/listinfo/osflash_osflash.org



--
John Grden - Blitz 
_______________________________________________
osflash mailing list
[email protected]
http://osflash.org/mailman/listinfo/osflash_osflash.org

Reply via email to