Wednesday, November 19, 2008

Flex Specific security considerations

When it comes to security there is no end to what one can do , but the basic techniques that an attacker remains the same. In case of a RIA built with flex, there are a

few important and unique considerations.

 

  • It’s very very simple to decompile a Flex or Flash file. The file format is public and many decompilers are already in place. The Same can be said about javascript too, but the thing is that with flex based RIA’s a lot of  context and logic is saved on the client side. If you are a fan of saving sensitive data on client side,watch out! Its too easy to know what you are doing on the client.
  • It’s equally easy to monitor requests and results from a Flex app to and from the server. This and the above make it a breeze to get the URI’s and expected parameters for your PHP scripts.Softwarre like ETHEREAL do a great job in finding out what is being sent and received.
  • Most Flex/PHP/JSP architected applications will expect and return clean, simple XML data. This data can be parsed easily to see if any security holes can be exploited.Thats why you will have to seriously consider the binary protocol AMF and start using its implementation in the form of Blazeds.LCDS or AMFPHP

 

Hope it helps!





Bookmark and Share

No comments: