Integration Based on HTTP Requests (1/5)

FLASH SECURITY

403

<mx:FormItem label="First Name: ">

<s:TextInput id="firstNameTextInput"/>

</mx:FormItem>

<mx:FormItem>

<s:Button label="Submit" click="clickHandler(firstNameTextInput.text)"/>

</mx:FormItem>

</mx:Form>

<fx:Declarations>

<mx:RegExpValidator id="validator" source="{firstNameTextInput}"

property="text" />

</fx:Declarations>

</s:Application>

We am using the RegExpValidator component and passing the regular expression "((\%3C)|<)”. If there

is no match, you get “field is invalid.”

You can insert all the regular expressions and see if you get zero results, which means that the expression

was present.

To read more about using regular expressions to check for cross-site scripting attacks, see the Symantec

article:

http://www.symantec.com/connect/articles/detection-sql-injection-and-cross-site-scripting-attacks

Update Flash Player and SDK Often

Adobe works constantly to fight attackers. For instance, during the upgrade to Flex SDK 3.4, Adobe solved

an issue regarding ticket CVE-2009-1879, which took care of a cross-site scripting vulnerability in the

index.template.html in SDK 3.3. When the installed Flash version was older than a specified

requiredMajorVersion value, it had allowed remote attackers to inject arbitrary web script or HTML via

the query string.

Spoofing Attacks

In some cases a remotely loaded SWF can try to overlay controls on a loading SWF. If the attempt is

successful, the SWF can potentially hijack control from the loading SWF, or carry out clickjacking—tricking

a user into clicking on something that seems harmless, but isn’t. Setting masks on Loaders can avoid this

type of attack by limiting the SWF to a certain area on the display object.

Summary

In this chapter, we touched just the tip of the security iceberg. In Part 1, we covered decompiling and

modifying a SWF file and loading the Flash app SWF file into another project. We showed how attackers

can figure out the application source code and access other domains through the accessed application.

We then showed how to avoid cross-domain scripting attacks.

In the second part we looked at the cross-site scripting (XSS) vulnerability by showing vulnerability in Flex

applications. We continued by describing a cross-scripting attack on a web page from Flex and from a

Get AdvancED Flex 4 now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

AdvancED Flex 4 by Shashank Tiwari, Elad Elrom