Vulnerability of flash movies in php
Posted: Tue Mar 14, 2006 8:14 am
When the flash games commit the scores to save via php.
Actually, the submitting is vulnerable, because someone will reverse compile the flash movie while will get them from website. On the occasion, they will find the addresses & strings in pages (e.g. save.php?record=1000). And will commit the pseudo-form which will show false scores on it to web server via php.
As the addresses & strings is opened in flash movie (no encrypting), how to distinguish the results will been submitted by web or by flash (I have picked the function getURL() of AS of flash to try, but as same with POST.)?How to restrict the results not by web? How to option for security of encryption?
Remark: AES_ENCRYPT() & SSL must be established on form, but the POST methods of forms will be virtual.
Actually, the submitting is vulnerable, because someone will reverse compile the flash movie while will get them from website. On the occasion, they will find the addresses & strings in pages (e.g. save.php?record=1000). And will commit the pseudo-form which will show false scores on it to web server via php.
As the addresses & strings is opened in flash movie (no encrypting), how to distinguish the results will been submitted by web or by flash (I have picked the function getURL() of AS of flash to try, but as same with POST.)?How to restrict the results not by web? How to option for security of encryption?
Remark: AES_ENCRYPT() & SSL must be established on form, but the POST methods of forms will be virtual.