开发者

Secure Ajax with Flash

In order to secure Ajax requests, Ran Bar-Zik sugested to "create a small fl开发者_StackOverflow社区ash file to receive the data, SALT it and encrypt it with MD5. Than sent it to the server. The attacker is able to see the data but it is encrypted." Does anybody who has done this would want to share the code with the world? Thanks :-)


Mr Ran Bar-Zik is mistaken. The security system he has proposed violates CWE-602 and is "(in)security though obscurity".

In short the problem is that the server is providing data to a client side application. The client can do whatever he pleases. He can modify the javascript code or intercept and modify all communications using TamperData or Burp Proxy. A flash application can be decompiled and any secrets stored in memory can be obtained with a debugger like ollydbg. There is no solution to this problem.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜