Re: [osflash] Xray Debugger - Possible security issues?

Sun, 08 Jan 2006 06:49:21 -0800

Well, that's all true enough, but I would suggest taking these 2 questions seriously if you have a boss/client that'd flip if they knew any Joe off the web could look through they're nice shiney new cutting edge site.  YOU know it's harmless, but try explaining that to the guy that just paid out 50g's.

Bob's got great points, and I would suggest people be cautious about leaving the connector in the production version.  True, most client's/boss' won't figure it out, but I feel better saying it outloud just incase it *might* be an issue for someone.



On 1/8/06, Bob Ippolito <[EMAIL PROTECTED]> wrote:

On Jan 7, 2006, at 8:39 PM, John Grden wrote:

> Yeah, I have to agree. Xray or not, you still have to validate the
> data coming from the client - whether you protect your methods/
> properties correctly or not.
>
> So, in saying that, locking down whether or not Xray exists in a
> site at production seems reduced to this line of questions:
>
> 1.  Are you talking to a server and transimitting data?  If yes,
> remove xray from the production files.

Why bother?  It makes it slightly less convenient to see what's going
on, but it's not impossible.  If you're worried about that then you
really need to spend more time with the server to make sure it's
robust against tampering.

> 2.  If no, do you care if people look around your flash site with
> Xray (though harmless to the site itself)? if yes, remove xray from
> the production files.

Again.. if the user wants to pick it apart, it's not that big of a
deal.  It's absolutely possible to develop a transparent proxy that
injects Xray or anything else into every SWF that goes across the
wire if one were so inclined.  The technology to implement this is
readily available -- and the developers on this list are largely to
thank (or blame) ;)

Hell, such a tool would actually be useful for developers.  They
wouldn't even need to bother inserting Xray in their projects
anymore, and it would render this discussion completely irrelevant.

My point is -- if you don't want a user to see something, don't ever
send it to them!  Otherwise, what's the harm in making it somewhat
accessible?  They could see it if they really wanted to anyway.

-bob


_______________________________________________
osflash mailing list
[email protected]
http://osflash.org/mailman/listinfo/osflash_osflash.org



--
John Grden - Blitz 
_______________________________________________
osflash mailing list
[email protected]
http://osflash.org/mailman/listinfo/osflash_osflash.org

Reply via email to