[F8] LoadVars, PHP and Security

[sffc]

One of the most prominent problems that I have while programming web applications is communicating information to the server in a secure manner. I have asked this question in the past under different circumstances, but all of the answers I receive have to do with the XSS, CSRF, and other such attacks. My question regards a different "branch" of security. I'll try to state my problem as clearly as possible:

When using LoadVars in ActionScript and AJAX in JavaScript, the client can easily tell the server-side script that was queried and what sorts of variables were sent to it. Knowing this basic information, any decent programmer could manipulate that server-side script to change things in databases that should be changed only with a "legitimate" request (that is, one coming from LoadVars and not from a hacker).

I understand that it is impossible to fully secure AJAX requests in the manner described above. However, knowing how flash works differently than JavaScript with server-side communication, is it possible for Flash to communicate with the server (in my case PHP) in a manner which a hacker could not take advantage of?

My web site is hosted, so preferably the solution wouldn't deal with installing any other software in Apache. BTW, the server is Linux-based, if that makes any difference.

Thank you very much in advance; this issue has been bothering me since I first implemented client-server communications in my programming.

[mneil]

I believe they could only manipulate your data if they were capable of putting in incorrect data in the swf and submitting it to the server. LoadVars allows you to use POST, and $_REQUEST on the php side, making it a little safer that GET which could be intercepted. Flash also has a pretty strict cross domain policy that only would allow someone to do something like load your swf into another to manipulate data if you specifically allowed them with something like a policy file.

Rather lengthy security article:
http://www.adobe.com/devnet/flashpla...8_security.pdf

[sffc]

Thanks for the response. I am aware of LoadVars's ability to use POST data, and have taken advantage of it in the past. Though it is a bit more "secure" than using GET variables, I'll try to be a bit more specific with my question:

A hacker can monitor the requests that Flash sends to the server. Let's say Flash sends a password, via a POST variable, that activates confidential data on a page for Flash's use. Knowing what sort of data Flash sent, a hacker can make the exact same request (with the same POST variables) and gain access to the data which should be restricted for Flash's access. For example, say Flash sends a request to secure.php with the POST variable pass=loremipsum. Knowing that, a hacker could make a form or something pointing to secure.php with the same POST variable, thus gaining access to the confidential data.

Knowing this, I figured that the only way to make an un-sensorable request from flash would be via something like an XMLSocket, in which one request is made and kept alive with various messages being sent from client to server without the need for an additional request. Is something like this possible in Flash? If so, could it be done without installing anything special on the server?

[Kirill M.]

I think it may be possible to send requests with https in flash, although I haven't experimented with that. Maybe that would solve your problem? I would probably try that before implementing and encryption algorithm in AS.

[sffc]

I think it may be possible to send requests with https in flash, although I haven't experimented with that. Maybe that would solve your problem? I would probably try that before implementing and encryption algorithm in AS.

How would something with HTTPS work? It seems like a good idea; does it require any "special" server software? I tried visiting my web site with "https://" rather than "http://", but it wouldn't load. I also saw something about SSL; how could I do something like that?

Many thanks for the responses so far.

[mneil]

It will require a little extra on the server, and cost more each month. But I don't know how that works either.

[Kirill M.]

https is a different protocol from http which a normal web server uses. If you have any control over your web server I'm sure there must be something in the config that allows you to run it as an https server. But I haven't run any web servers myself, so I can't really help much in that territory.