Is this a web application vulnerability?
I am passing a variable to a SWF file that provides access to several other SWF files. You can see the line I am using to assign the value to the variable beneath the THIS LINE
comment below.
<script type="text/javascript">
/*THIS LINE*/
var flashvars = {a: "<%= User.Identity.IsAuthenticated %>"};
/*
Some other stuff here...
*/
swf开发者_JAVA技巧object.embedSWF("index.swf", "myAlternativeContent", "100%", "100%", "10.0", "expressInstall.swf", flashvars, params, attributes);
</script>
I am concerned that someone using an HTTP proxy could just switch the value of a
from False to True if they wanted access. Am I right to be worried?
Is there a different way I should be controlling whether access to the child SWF is allowed?
I would say don't emit anything that they don't have access to. In this case, if they aren't authenticated, don't send any of that script to the browser.
Yes, you should be concerned.
Assuming you can't change the flow (ie: you have to send the script even if they aren't authenticated), then I'd change the "true/false" value to some type of key. The children should verify the key was passed before executing.
If possible, make the key user specific.
This doesn't completely solve the issue, but it would be harder for someone to provide a key that they don't have.
UPDATE:
Based on the very good comments, I have a different route.
Add a web request handler (.ashx file) to the site. Have the client call that to load the swf file. The handler should first test to see if they are indeed logged in. If they are, serve the file. If not just close the connection.
Basically change the embed line to look something like:
swfobject.embedSWF("grabFile.ashx?id=123", "myAlternativeContent", "100%", "100%", "10.0", "expressInstall.swf", flashvars, params, attributes);
Then have a .ashx request handler on your site test for being logged in prior to response.writing the actual contents of the swf file.
Yes, they could. Security doesn't work on the client side, you'd have to control access to the files from the server.
Yes, what is keeping an attacker from writing a static html page that does this:
var flashvars = {a: "AUTHENTICATED"};
yup, this is a vulnerability and you don't need to use a proxy to exploit it. You should refuse access at the server if your users aren't authenticated.
Yes. If the user has Firebug, they could simply look at what the appliation's code looks like when logged in, and then change it to mirror that when they're not logged in. You should handle authentication on a per request basis, and server-side. If you try:
If User logged in:
Put Flash in page
Else:
Put angry message
The user can still copy the Flash snippet when they're logged in, and paste it when they're not logged in, with Firebug, etc.
However, if you use:
Put Flash in page
Listen for requests from the Flash app to the server (for database content):
If the User who requests content is logged in:
Return content
Else:
Return angry message
This will work.
If the entire app is Flash based (ie, it doesn't need database access), the only way to secure it will be to protect folders at the server level (see Amember, et al). Even if you make the Flash application rely on a dongle with the server for authentication purposes, the user can simply download your Flash scripts, decompile them and distribute them for free use. They can still do this with the folder protection, but at least free users won't have that access. Your best bet is to make the application rely on content that comes from your server.
精彩评论