Page 1 of 1

Vulnerability of flash movies in php

Posted: Tue Mar 14, 2006 8:14 am
by dorgon
When the flash games commit the scores to save via php.
Actually, the submitting is vulnerable, because someone will reverse compile the flash movie while will get them from website. On the occasion, they will find the addresses & strings in pages (e.g. save.php?record=1000). And will commit the pseudo-form which will show false scores on it to web server via php.

As the addresses & strings is opened in flash movie (no encrypting), how to distinguish the results will been submitted by web or by flash (I have picked the function getURL() of AS of flash to try, but as same with POST.)?How to restrict the results not by web? How to option for security of encryption?

Remark: AES_ENCRYPT() & SSL must be established on form, but the POST methods of forms will be virtual.

Posted: Tue Mar 14, 2006 8:03 pm
by Ambush Commander
Anything from the user is not to be trusted. Which makes this fundamentally impossible to do.

You can, however, get pretty darn close. I think making the flash as much of a black box as possible would be best.