[osflash] Xray Debugger - Possible security issues?
happydog at gmail.com
Thu Jan 5 13:06:54 EST 2006
Couldn't someone just watch what address' are called then do the same
thing (call the page directly)? Sure, they would need to know to look
for that, but it doesn't seem any more secure to me.
On 12/26/05, John Grden <neoriley at gmail.com> wrote:
> yeah, that's been a thought and discussion for a while now.
> the problem is, how do you lock it down?
> You can't put a password on the connector nor can you specifiy the local
> connection names - hacking an SWF is yesterday's news, so your proprietary
> information is not secure by any means. All a person does is hack your SWF,
> then they've got all the information they need.
> So, it comes down to: How does Xray load external data? Do we put the
> ability to type in a server side script URL, that the connector loads?
> Then, how do you keep someone from cracking your SWF, and calling the PHP
> page directly?
> The only thing that comes to mind is using the Xray interface to pass along
> the Server Side Script URL THROUGH the connector - Xray tells the connector
> what URL to call, it calls the page, and now, has the necessary data to do
> validation with the interface (Username/Password). Does that make sense?
> XrayInterface(url) -> connector -> url -> connector ->
> On 12/26/05, Benjamin Jackson < ben at incomumdesign.com> wrote:
> > I was wondering about the potential for security breaches is with
> > leaving the Xray debugger active on live sites. On the one hand, it's
> > important to be able to debug the live site if something goes wrong
> > after deployment. On the other hand, it doesn't seem too smart to allow
> > anyone with the debugger execute arbitrary Actionscript on my swf.
> > Any opinions?
> > ___________________
> > Ben Jackson
> > Diretor de Desenvolvimento
> > ben at incomumdesign.com
> > http://www.incomumdesign.com
> > _______________________________________________
> > osflash mailing list
> > osflash at osflash.org
> > http://osflash.org/mailman/listinfo/osflash_osflash.org
> John Grden - Blitz
> osflash mailing list
> osflash at osflash.org
More information about the osflash