Accessibility
Peleus Uhley

Peleus Uhley

Adobe

Table of Contents

Created:
20 December 2007
Modified:
6 February 2009
User Level:
Intermediate, Advanced
Products:
Flash Player
Flash
Flex

Creating more secure SWF web applications

Note: This article was originally authored for Adobe Flash Player 9,0,115,0 and has been updated for Flash Player 10. Changes to this article were made to reflect updates to cross-domain HTTP and socket policies, user-initiated action requirements, and other protections added in Flash Player 10. The article was also updated to reflect recent projects, clarifications on Flash Player port usage, and additional best practices.

Adobe frequently updates the Flash Player software security model to improve the security of the Flash Player environment. However, that only addresses half of the overall solution to help securely deploy applications that run in Flash Player. As the web developer, you must also correctly leverage the tools provided by the Adobe ActionScript language and the Flash Player platform to help ensure that your SWF files are more secure. Poor programming conventions can expose SWF files and the sites that host them to web attacks. Adobe provides many resources for developers—such as the Flash Player security section of the Programming ActionScript 3.0 for Flash documentation—to assist with developing more secure code.

This article outlines many of the security considerations associated with common tasks and provides samples of techniques that can be used to help secure code against those threats. Links to the full documentation are provided throughout the article for further reference.  These techniques are designed primarily for the Adobe Flash development environment but they can also be applied by Adobe Flex developers.

This highly technical article presumes that you have some knowledge of the ActionScript language and Flash development. Due to its length, the article is broken up into different sections based on what you are trying to accomplish as a developer or administrator:

  • If you are an administrator who deploys Flash applications, you will be interested in the sections on HTML controls, domain segmentation, cross-domain policy files, and socket policy files.
  • If you are a developer who creates simple, self-contained SWFs such as advertisements, you will most likely be interested in the sections on data validation on URLs, JavaScript communication, and local shared objects.

Most of this article is targeted for those who create complex websites using the Adobe Flash Platform. Throughout the article, there are links to additional resources for greater detail on all the issues discussed.

Requirements

To get the most out of this article you will need to install the following software:

Flash Player 10

Flash CS4 Professional (optional)

Flex Builder 3 (optional)

Prerequisite knowledge

You should have an understanding of ActionScript 2.0, ActionScript 3.0, and Flash Player. Knowledge of Flash CS4 Professional or Flex is encouraged but not required.

About the author

Peleus Uhley is a senior security researcher within the Secure Software Engineering team at Adobe. His primary focus is assisting with Adobe platform technologies, including Flash Player and AIR. Prior to joining Adobe, Peleus started in the security industry as a developer for Anonymizer, Inc., and went on to be a security consultant for companies such as @stake and Symantec.