[flexcoders] Re: AMFPHP Security?
You could always use a secure connection via https. Also, you could send an encrypted username and password. For example, every thirty minutes generate a new password string. The server can use the same algorithm to generate a string and then you could compare them. --- In flexcoders@yahoogroups.com, Clark Stevenson a.scots...@... wrote: Hi all. I am new to AMFPHP. Lets say you have a class and a function: SomeClass.saveHighScore(304958); For me, the way i see it, is that anyone using Charles can call this method? Whats to stop anyone from calling it directly? SomeClass.saveHighScore(20394948548438484). Can any one advise me on ways i could secure this method? Thanks. Clark.
Re: [flexcoders] Re: AMFPHP Security?
Thanks for your help guys. Oleg: I didnt really understand what you meant. The server cant know about your highscroe locally? IE: you score 13 points. You need to tell the server that you got 13 points. How could the server know otherwise that you got 13 points? Valdhor: I think this is something we approached first. When the HTML page is generated, a hash is created which must be passed along with the username for anything to happen. Its just for my brain, whats to stop me using charles to see the hash, then calling highscore(userID, hash, 39894809489048840984). Its for this reason i dont understand hashs, they help but not really. https was also another option but i think that this application uses different networks Game.swf comes from game.com UserInfo comes from network1.com, network2.com I believe this makes HTTPS impossible? Anyways thanks again. Cheers, Clark. On 11 August 2010 14:35, valdhor valdhorli...@embarqmail.com wrote: You could always use a secure connection via https. Also, you could send an encrypted username and password. For example, every thirty minutes generate a new password string. The server can use the same algorithm to generate a string and then you could compare them. --- In flexcoders@yahoogroups.com flexcoders%40yahoogroups.com, Clark Stevenson a.scots...@... wrote: Hi all. I am new to AMFPHP. Lets say you have a class and a function: SomeClass.saveHighScore(304958); For me, the way i see it, is that anyone using Charles can call this method? Whats to stop anyone from calling it directly? SomeClass.saveHighScore(20394948548438484). Can any one advise me on ways i could secure this method? Thanks. Clark.
RE: [flexcoders] Re: AMFPHP Security?
If you want it to be fairly untouchable, have all your game logic on the server. The only thing the swf does is gather input, and display state. That way, nobody can spoof the game logic (which is pretty much your issue). Gk.
Re: [flexcoders] Re: AMFPHP Security?
Exactly, what Gk said. You can make it difficult to forge the data on client, but you cannot 100% prevent it from being cracked, so, better, keep the score on the server.
[flexcoders] Re: AMFPHP Security?
How about computing the hash based on the date and time when someone invokes the high score? Time can be +- 15 seconds to account for the amount of time to get to the server. The server computes the same hash when it receives the call and then compares. Someone could possibly grab the hash in Charles and plug it in to some code to call it but probably not in 15 seconds. By then the hash will be out of date. Or, you could send a date/time string hash as well as the high score hash and make sure that is within your parameters. Just thinking out load here... --- In flexcoders@yahoogroups.com, Clark Stevenson a.scots...@... wrote: Thanks for your help guys. Oleg: I didnt really understand what you meant. The server cant know about your highscroe locally? IE: you score 13 points. You need to tell the server that you got 13 points. How could the server know otherwise that you got 13 points? Valdhor: I think this is something we approached first. When the HTML page is generated, a hash is created which must be passed along with the username for anything to happen. Its just for my brain, whats to stop me using charles to see the hash, then calling highscore(userID, hash, 39894809489048840984). Its for this reason i dont understand hashs, they help but not really. https was also another option but i think that this application uses different networks Game.swf comes from game.com UserInfo comes from network1.com, network2.com I believe this makes HTTPS impossible? Anyways thanks again. Cheers, Clark. On 11 August 2010 14:35, valdhor valdhorli...@... wrote: You could always use a secure connection via https. Also, you could send an encrypted username and password. For example, every thirty minutes generate a new password string. The server can use the same algorithm to generate a string and then you could compare them. --- In flexcoders@yahoogroups.com flexcoders%40yahoogroups.com, Clark Stevenson a.scotsman@ wrote: Hi all. I am new to AMFPHP. Lets say you have a class and a function: SomeClass.saveHighScore(304958); For me, the way i see it, is that anyone using Charles can call this method? Whats to stop anyone from calling it directly? SomeClass.saveHighScore(20394948548438484). Can any one advise me on ways i could secure this method? Thanks. Clark.
[flexcoders] Re: AMFPHP Security
Zoli is right. Usage of a specific object type in a method signature is irrelevant to security. In fact, you do not even need to know AMF to do it. One could easily use something like ServiceCapture to understand the structure of the argument type then construct a similar object and run it a local Flex/Flash movie with unrestricted security. Essentially it means that a gateway must safeguard against such malicious attacks. Our implementation (weborb) does it quite well. Cheers, Mark --- In flexcoders@yahoogroups.com, Zoltan Csibi [EMAIL PROTECTED] wrote: What I mean is: if I can sniff what typed VO an application is receiving, I can craft an AMF packet with: - call to deleteUser - the same VO type (simplified: as we know that this is just a string of the class name followed by other strings describing property names and other binary data with property values etc etc etc) The gateway (fluorine, openamf, fds ... anything) will see a valid object/type. There is no type-coercion error here. This is an easy task to do with AMF knowledge. Bottom line: I don't think that passing simple types, untyped VOs or typed VOs makes any difference from security point of view. Mit freundlichem Gruß, Zoli From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Patrick Mineault Sent: Thursday, January 18, 2007 6:29 PM To: flexcoders@yahoogroups.com Subject: Re: [flexcoders] AMFPHP Security Wouldn't Fluorine and OpenAMF throw a type-coercion error, given that the first argument is typed? Of course, the code in the constructor would be called anyways. Patrick
Re: [flexcoders] Re: AMFPHP Security
I think you're misunderstanding my argument Mark. Of course you can spoof any message you want, and you don't have to be an expert either to do it; you could use the amfphp service browser of SabreAMF as a library or a Flash movie to send any message whatsoever to a gateway. The issue with class mapping is that when developers put something in the service folder, they know that the code can be included and methods run on it. If they care about security, they will take care that the methods defined are not dangerous if remotely executed with other data. But from talking to a very well-known blogger (a Java fan) and seeing some of the new code that is going around in tutorials, I see that while people are taking care of escaping strings before sending them to a database and the like, they don't bother to check the argument type that's received, and while that may not be dangerous if you receive an array instead of a string, it may be if you receive a live object which has code in it which may be executed. The locking mechanisms which apply to amfphp, WebORB or Fluorine are per-method, but class mappings in most implementations is per gateway (at least, that's what it is in amfphp, Fluorine, or OpenAMF). So you could call an unlocked method with a mapped class that you would only expect to receive in a locked method, and if that mapped class has side-effects it could do some damage. Because class mapping and VOs are often used in database scenarios, we're talking about potential data-loss issues here. It's a far-fetched scenario, but the main issue is that it is such an unobvious scenario that you might not actually think about it, and you might not think about securing against it. About the Our implementation (weborb) does it quite well, I'm not sure what you're referring to by it. Could you expand? Patrick Mark Piller a écrit : Zoli is right. Usage of a specific object type in a method signature is irrelevant to security. In fact, you do not even need to know AMF to do it. One could easily use something like ServiceCapture to understand the structure of the argument type then construct a similar object and run it a local Flex/Flash movie with unrestricted security. Essentially it means that a gateway must safeguard against such malicious attacks. Our implementation (weborb) does it quite well. Cheers, Mark --- In [EMAIL PROTECTED] ups.com mailto:flexcoders%40yahoogroups.com, Zoltan Csibi zoltan.csibi@ ... wrote: What I mean is: if I can sniff what typed VO an application is receiving, I can craft an AMF packet with: - call to deleteUser - the same VO type (simplified: as we know that this is just a string of the class name followed by other strings describing property names and other binary data with property values etc etc etc) The gateway (fluorine, openamf, fds ... anything) will see a valid object/type. There is no type-coercion error here. This is an easy task to do with AMF knowledge. Bottom line: I don't think that passing simple types, untyped VOs or typed VOs makes any difference from security point of view. Mit freundlichem Gruß, Zoli _ _ __ From: [EMAIL PROTECTED] ups.com mailto:flexcoders%40yahoogroups.com [mailto:[EMAIL PROTECTED] ups.com mailto:flexcoders%40yahoogroups.com] On Behalf Of Patrick Mineault Sent: Thursday, January 18, 2007 6:29 PM To: [EMAIL PROTECTED] ups.com mailto:flexcoders%40yahoogroups.com Subject: Re: [flexcoders] AMFPHP Security Wouldn't Fluorine and OpenAMF throw a type-coercion error, given that the first argument is typed? Of course, the code in the constructor would be called anyways. Patrick