I have started developing a drawing application in as3. I am thinking that I could integrate a cms and allow swf files to be uploaded in runtime as graphics.What are the potensial security issues involving third party possibly malicious swf files here?
I would simply be adding the swf as a custom sprite class to a masked container sprite.
Does this open a hole to run other scripts ( js on another server? ) and or give access to the client's computer in unsafe ways?
I would appreciate any recomendations reading and or advice / experience in swf hosting like this. I see this being done on many sites now such as wonderfl and activeden.
This is the ActionScript equivalent to XSS. Your domain will no longer be protected by the Same Origin Policy. This can be used by an attacker to hijack a Session ID (Cookie), deface your web site, or deliver exploit code to any browsers visiting your site.
I think instead of saving a whole mess of SWFs on the server, it would be better to serialize your drawing data, and have your main SWF just redraw the drawing based on the loaded data. You can still use a CMS/Database to store and manage this data.
EDIT*
If you need to load SWFs, take a look at Specifying loading context. And maybe also take a read through Loading Content.
Related
How to restrict the game locally?. I know the browser sitelock. But i do not know how much it is effective.
I played the games in http://www.gameark.com/. If you download the games from this website, you cannot play it locally. How to do this?
Thanks.
I'm using http://www.swfshield.com to do this without pain.
What they do is actually converting your swf into binary or some sort, and wrap it inside a loader (I'm not sure.. It's just my guess...). I use this swfshield to protect my swfs from being decompiled and being stolen.
It will not load locally if you do single domain lock. So, basically, it won't literally load in any domain other than the specified domain.
Additionally: I've tried at least five different decompilers to decompile the protected swf from swfshield.com, but none of them were able to get a single hint about the swf. :)
I need my Flash client to communicate with a server securely (through binary sockets). For this, I was thinking of embedding a pre-shared key inside the AS3 code and exchanging XORed data through a custom protocol.
I am told that SWF decompilers do a good job at making all embedded code clearly apparent and readable. Does this mean that I can't really hide my key?
If this method is impractical, what other options are there? I have tried as3crypto, only to find that it's full of shortcomings and lacks serious documentation.
You cannot hide your key at all - SWF is totally untrusted, can be easily decompiled. It's pretty difficult to deal with security with SWF's because they run on the client and are not trusted.
It might depend specifically on what you are trying to accomplish with secure communication. For instance, if you are trying to secure a high-score system that is pretty much impossible because the game runs on the client (the SWF) and they can manipulate it to spit out any score they want to the server. Here is a good read on this: What is the best way to stop people hacking the PHP-based highscore table of a Flash game
If you can use the SWF only as a front-end UI and all logic takes place on the back-end, then you can secure your application (using the above highscore example, if the game was not an AS3 game but actually ran on the server itself, it would be a lot easier to secure, because the backend is trusted and cannot be modified or viewed by a user), but if the logic takes place on the SWF then you are pretty much out of luck.
I am building an online game, similar to a flash online game, but using HTML only. (HTML5)
I would like to prevent people from copying it and putting the game on their site.
With flash, I used to do this by adding the URL check to make sure it was running on my site, but this seems useless if i can only put the check in Javascript.
Is there anything that can prevent someone from simply copying the game?
as a followup..
Can I protect the source at all? (aside from obfuscation with javascript.)
Thanks!
Unfortunately if the game engine is 100% JavaScript, the most practical way to do this would be with obfuscating your code. Here's a link to a site that does just that.
However, by using Ajax which allows your client side script to communicate with your server, you can store the majority of your game's logic and functionality on your server in any type of server-side scripting such as PHP.
Basically your PHP (or some other language) files on your site would get requests from the user's machine to make decisions about logic in the game whenever logic is needed for the game to function, and your server would respond, all through using Ajax. Then someone could only really copy half of your game - that part stored in JavaScript.
The one downside with this method is that it may slow down the user's game drastically due to having to communicate with the server constantly.
Hope this helped and made sense!
No way to do this, it's the nature of the web. Your best bet is obfuscating your code.
I'm writing a game to be run locally, on the user's computer. NOT over the internet.
I want to have a file that will hold the usernames and avatar indices (they're in an array).
I want to know if there's a way to write to files through Flash with AS3. I'm using CS4.
I'd also like to know if you can delete files through Flash, though that's just optional.
Thanks in advance for any help you can give.
If you want to make a game that runs locally on someone's computer, you should make it in Adobe AIR. AIR apps can read and write files, and do all sorts of useful things like show updates in the taskbar, etc. Whereas a simple SWF that you download and run locally can't do anything useful that it couldn't already do in the browser - it can't write or delete local files, for a start. (It can read local files, but only if you disable it from accessing the network.) Moreover, the standalone Flash player is not generally disseminated, so unless the user is a Flash developer they're just going to view your SWF in a browser anyway (unless you plan to publish projectors, which I also wouldn't recommend).
With all that said, however, even if you do your game as local flash content, you can still store information by using SharedObjects. They work the same way offline as online. You can't write the data out as a separate file, but you can store it between sessions easily enough.
if i understand what you are trying to do then why dont you use Adobe AIR? this is flash for the desktop
I'm writing a flash app using the open source tools. I would like to load a data file in to the app and capture a screenshot of the stage on the server. The only part that seems mysterious is running the app on the server. In fact, I don't even care if it's the same app running on the server and in the browser--if I can use the flash stage and drawing routines to produce an image server-side, I'm happy. If I have to delve in to flex, fine. Right now I'm having problems finding any starting point at all.
I gather Adobe has some commercial products that may fit the bill, but I'd like to stick with open source, apache, and linux. I know this is probably possible with haxe/neko, but I'd like to use more mainstream tools if possible. Am I asking too much?
EDIT/CLARIFICATION: Many thanks for the responses so far, but I think I've been a bit muddy in my description. I've already written the actual stage-grabbing stuff using the same PNGEncoder class as was suggested. The problem is in actually running the swf on the server side. I don't want to let the client take the screen shot itself, because this opens up the possibility of the client maliciously submitting a screenshot which does not correspond to what is on the stage, that is, I don't want users uploading porn. If I could run the the actionscript code on the server, then I could generate the screenshot from my data files and be sure that the screenshot matches the data, but I have no idea how to run the actionscript or swf on the server.
Swfs run on a client computer, not on the server. The only way it would run on the server would be if you set up a special environment on your server so that it ran a web browser, opened up the page and ran the swf. But even then it would have no correlation to what an external user was doing.
You'll need to run it client side. As far as your security concerns, the best way to get rid of those is to have the php writing the actual image only accept an encrypted form of the image file, which the flash can encrypt. That way they can't simply use the PHP file to upload whatever image they want unless they happened to encrypt it the exact same that your swf did. Next encrypt the swf itself (I recommend SWF Shield) so that a potential hacker cannot read the code to know how to encrypt the image.
We just completed a similar project where we rendered JPGs from SWFs that loaded dynamic data, we used IECapt
Did you try actionscript print commands?
Try and look at this:
http://www.phpclasses.org/browse/package/4312.html
I know this question is long dead, but I had a similar problem and ended up writing a script using applescript + ui scripting to grab the inside area of the preview window of the standalone flash player in OS X. You can grab it off github here.
How about swfdec-thumbnailer from the swfdec-gnome package? It's used to create thumbnails of SWF files but can accept arbitrarily large resolutions with the -s argument.
EDIT: swfdec-gnome has been deprecated in Ubuntu 10.10 in favour of Gnash. Here is a guide on taking screenshots with Gnash (note that certain features like gradients are not yet properly supported).