Is this a web application vulnerability?

Question

Is this a web application vulnerability?

I pass a variable to a SWF file that provides access to several other SWF files. You can see the line I'm using to assign a value to a variable below the comment THIS LINEbelow.

    <script type="text/javascript">
                /*THIS LINE*/
                var flashvars = {a: "<%= User.Identity.IsAuthenticated %>"};
                /*
                   Some other stuff here...
                */
        swfobject.embedSWF("index.swf", "myAlternativeContent", "100%", "100%", "10.0", "expressInstall.swf", flashvars, params, attributes);
    </script>

I'm worried that someone using an HTTP proxy might just switch the value afrom False to True if they want access. Am I right to worry?

Is there any other way I have to control if access to the child SWF is allowed?

+3

security flash asp.net

Abe miessler Nov 29 '10 at 17:38

source share

5 answers

, . , .

+1

Kendrick 29 . '10 17:41

, html-, :

var flashvars = {a: "AUTHENTICATED"};

+1

rook 29 . '10 18:34

yup, , - . , .

0

dan_waterworth 29 . '10 17:41

. Firebug, , , , , . , :

If User logged in:
    Put Flash in page
Else:
    Put angry message

Flash , , Firebug ..

, :

Put Flash in page
Listen for requests from the Flash app to the server (for database content):
    If the User who requests content is logged in:
        Return content
    Else:
        Return angry message

.

Flash (.. ), (. Amember .). Flash , Flash, . , , , . , .

0

orokusaki 29 . '10 17:42

NotMe · Accepted Answer · 2010-11-29T17:40:58+0000

, , . , , script .

, .

, (.. script, ), "true/false" - . , .

, .

, - , .

UPDATE:
, .

- ( .ashx). , SWF . , . , . .

, :

swfobject.embedSWF("grabFile.ashx?id=123", "myAlternativeContent", "100%", "100%", "10.0", "expressInstall.swf", flashvars, params, attributes);

.ashx , . SWF .

Is this a web application vulnerability?

More articles: