swf file un secure

Printable View

June 7th, 2003, 01:50 AM
hackerdan1

swf file un secure

Ok well i need to make a page where you put your username and password in and it gets you to the pay page. So i bought CoffeeCup Password Wizard to make them. And it worked out cool, then i looked at it in notepad just looked like jiberish then i saw my target URL (the url it goes too when you type the right username and pass in) just sitting their then i saw a big chunk with the usernames and password clumped together. So my question is anyone know howto encrypt this, or any better programs that dont have the target sitting right their! any help would be nice. Thanks!
June 7th, 2003, 02:23 AM
alittlebitnumb

I do not know if this was written using actionscript, or if the actionscript called any server side scripting language. What do you mean by "big chunk?" Where is it? In a file? A URL?

Thanks for the reiteration.
June 7th, 2003, 02:55 AM
hackerdan1

like when i look at it in notepad say the username is Cool and the password is Dumb it is just sitting their like this: CoolDumb Thanks for the help!
June 7th, 2003, 03:00 AM
HTRegz

What kind of server are you working with? Do you have access to PHP and MySQL? I'd suggest storing the usernames and passwords in a password protected dB that is accessed using php. It'll definately make it more difficult to attept to obtain + the php source won't be displayed so the url would be hidden. Just have a login form and post it to a php file that opens a dB, finds the username then compares the passwords. Then a simple if statement, if they are correct load the correct url, else load an error page.
June 7th, 2003, 04:23 AM
hackerdan1

actually cant do any of that im using geocities stupid free hosting (i know i know im geting good pay hosting once my income kicks in) so i guess i gota work with flash or java (coffee cup does both) unless i can find a more securer program then coffee cup
June 7th, 2003, 12:07 PM
slarty

Bear in mind that flash movies (swf) can be decompiled fairly easily.

The only way to have even moderate security using client-side scripting is to obfuscate the target URL and use that to encode the password.

(Javascript / Java / SWF / Something else client side) -> Encodes the password, and submits it as a URL
Correct password -> Correctly obfuscated URL
Incorrect password -> Incorrect URL. Web server gives "Not found" message (Except geocities probably spams you with 1,000,000 popups and ads)

Unfortunately it makes changing the password difficult, typically you have to rename the directory where your protected pages are.

Also, anyone can post the obfuscated URL and the security it broken. It also gets sent to other web servers in the referrer, and is stored in browser history, caches etc. So not really very secure.
June 7th, 2003, 07:24 PM
hackerdan1

ok i get the idea now what should i switch to but you gota remember im limiting and what i can do because of geocities but im willing to learn a language to make a secure client or something. Thanks