Accessibility

Table of Contents

  1. Introduction
  2. Potential threats to SWF files
  3. Selecting more secure compiler settings
  4. Setting security controls
    within the HTML code
  5. Managing security boundaries
  6. Complex cross-domain implementations
  7. Communicating between SWFs and across domains
  8. Communicating through a
    shared resource
  9. Validating data from remote sources
  10. Safely displaying content in text fields and drawable regions
  11. Exception handling
  12. Encrypting data
  13. Developer checklists

Creating more secure SWF web applications

Developer checklist for writing more secure SWF applications

Data validation

  • Check for malicious URLs in all imported data
  • Escape special characters when writing into an HTML text field
  • Validate all data received from outside resources such as LocalConnections, LoadVariables, and XMLSockets
  • Use encrypted protocols where possible to prevent man-in-the-middle attacks
  • Check for returned exceptions as they may be an indication of malicious data
  • Be aware of situations where remotely loaded SWF files can script into your SWF and alter your variables and functions
  • Utilize ActionScript 3.0 rather than ActionScript 2.0 to prevent uninitialized variable attacks

Protecting sensitive data

  • Set the secure flag on local shared objects when using SWF files with SSL
  • Do not override the default path on the local shared object, or if it is necessary, set the path to the most restrictive path
  • Do not set the Secure flag to false within crossdomain.xml files
  • Do not use the allowInsecureDomain() method for SWF communication
  • Limit allowDomain() settings to specific domains
  • If SSL is used, use it consistently throughout the entire application workflow
  • Do not override the exactSettings setting in Flash Player
  • Leverage third-party libraries for additional cryptography

Cross-domain communication

  • Use specific domains in crossdomain.xml files
  • Leverage meta-policies to limit cross-domain and socket policies on your server
  • Do not use wildcards in domain or header settings within the cross-domain or socket policy file
  • Consider the most appropriate form of communication for the task at hand (i.e., a single method through LocalConnection vs. cross-scripting)
  • Use full domain names within allowDomain() settings
  • Be aware of the issues with import loading a SWF file into the current security domain via Loader.loadBytes or setting the securityDomain in LoaderContext
  • Do not override the exactSettings flag in Flash Player
  • Do not use unvalidated FlashVars as arguments to loadPolicyFile()

Preventing cross-site scripting attacks

  • Set appropriate allowScriptAccess and allowNetworking parameters within the HTML code
  • Perform data validation on variables sent to URL functions to ensure only http:// and https:// protocols are allowed; validate that the URL is for an allowed domain or use relative URLs
  • Escape special characters placed within HTML text fields
  • Do not use HTML text fields unless HTML support is needed
  • Compile the SWF for more recent Flash Player versions
  • Encourage users to have the latest version of Flash Player to view your content

Spoofing

  • Set masks on loaders for externally loaded SWF files.
  • Only allow trusted SWF files to use full-screen mode

Information Disclosures

  • Do not store sensitive encryption keys or passwords in a SWF file because it can be decompiled
  • Using the compiler flags such as "Protect From Import," "Omit Trace Actions," and "Permit Debugging" will not prevent determined attacks
  • Be aware that data stored in shared objects are also readable by third parties that have file system access since the data within the shared object is not encrypted
  • Use available cryptographic libraries when possible for encrypting data
  • Use an SSL connection consistently for more secure Internet communications

Website administration techniques for securing content

Explicitly set the allowScriptAccess, allowNetworking, and allowFullScreen settings for each SWF. By explicitly setting these values for all SWF files, administrators can ensure that the SWF files only have the access the administrator wants to grant and will not rely on Flash Player defaults for the compiled version when the SWF interacts within the web page.

Link to untrusted SWF files from your own domain by IP address rather than domain name. Referencing the untrusted SWF files by IP address will put them in a separate Flash Player security domain than the SWF files that are referenced by their domain name (e.g., http://1.2.3.4/my.swf does not have access to http://www.mysite.com/myOtherSWF.swf even though they are on the same server). Avoid using the IP address that is associated with your domain name via DNS.

Avoid specifying wildcards in cross-domain policy files. Use restrictive crossdomain.xml files for allowing access to only sites that are explicitly trusted. Limit the number of headers you accept only to those necessary for your application. Use wildcards on sub-domains such as *.mysite.com where possible avoid setting allow-access-from domain="*". Use commas ("456,457,468") and ranges ("456-458") on port settings to avoid setting to-ports="*" within the socket policy files.

Use sub-directory crossdomain.xml files to avoid putting domain="*" in the root crossdomain.xml file. By utilizing sub-directory crossdomain.xml files, web administrators can put domain="*" only in the parts of the website that really need to be accessible to all domains.

Utilize the meta-policy directives. The meta-policy system can help to ensure that only the cross-domain policies created by the administrator are recognized by Flash Player. Placing a master socket policy file with meta-policies on port 843 can help restrict what ports are allowed to host additional socket policy files. If no access is intended for your site then create an HTTP cross-domain file with a site-control meta-policy of "none" and no allowed domains listed. It is better to use the HTTP meta-policy of "by-content-type" than "all" for sites that contain multiple cross-domain policy files. If you select "all" and your site provides end-user upload functionality, then you should take into account the threat of end-users who will try to upload malicious cross-domain policies to your site.

Auditor checklist

If a SWF application has already been authored and it is now necessary to review the code looking for potential vulnerabilities, the methods listed below perform critical data operations that are useful to examine as part of your review process.

ActionScript 3.0 methods

Functions that display HTML code:

TextArea.htmlText

Functions that make networking calls:

FileReference.download(), FileReference.upload(), Loader.load, LocalConnection.connect(), NetConnection.connect(), NetStream.play(), Security.loadPolicyFile(), SharedObject.getLocal(),SharedObject.getRemote(), Socket.connect, Sound.load(), URLLoader.load(), URLStream.load(), XMLSocket.connect(), ExternalInterface.call(), navigateToURL(), sendToURL()

Functions and objects that accept URLs:

URLRequest(), NetConnection.connect(), XMLSocket(), XMLSocket.connect(), NetStream.play(), TextFormat.url, FLVPlayback.load(), FLVPlayback.play(), FLVPlayback.source, FLVPlayback.skin, FLVPlaybackCaptioning.source, ImageCell.source

Functions that perform content-loading:

Loader.load(),Sound.load(),Netstream.play()

Functions that communicate with the web browser:

ExternalInterface.call(), ExternalInterface.addCallBack(), fscommand(), navigateToURL()

Functions for accessing FlashVars:

LoaderInfo.parameters(), paramObj()

Functions for accessing SharedObjects:

SharedObject.getLocal(), SharedObject.getRemote()

ActionScript 2.0 methods

Functions and objects that accept URLs as strings:

MovieClipLoader.LoadClip, MovieClip.getURL(), getURL(), MovieCLip.loadMovie(), MovieClip.loadVariables(), NetConnection.connect(), LoadVars.load(), LoadVars.send(), LoadVars.sendAndLoad(), NetStream.play(), XML.load(), XML.send(), XML.sendAndLoad(), XMLSocket.connect, XMLSocket.send(), Sound.loadSound(), FileReference.download(), FileReference.upload(), System.security.loadPolicyFile(), LoadMovie(), LoadMovieNum(), loadVariables(), SharedObject.getRemote(), TextFormat.url

Functions that display or accept HTML:

TextField.html, TextField.htmlText, TextFormat.font

Functions that communicate with the web browser:

ExternalInterface.call(), ExternalInterface.addCallback(), fscommand(), getURL(), MovieClip.getURL()

Functions for accessing FlashVars:

_root., _level0. _global.

Functions for accessing shared objects:

SharedObject.getLocal(), SharedObject.getRemote()

Functions that make networking calls:

XML.load(), XML.send(), XML.sendAndLoad(), LoadVars.load(), LoadVars.send(), LoadVars.sendAndLoad(), loadVariables(), loadVariablesNum(), MovieClip.loadVariables(), NetConnection.connect(), NetStream.play(), loadMovie(), loadMovieNum(), MovieClip.loadMovie(), MovieClipLoader.loadClip(), Sound.loadSound(), LocalConnection.connect(), LocalConnection.send(), SharedObject.getLocal(), SharedObject.getRemote(), FileReference.upload(), FileReference.download(), System.security.loadPolicyFile(), XMLSocket.connect()

Generally risky:

eval()

Page 13 of 13
Previous Page