AIR security flaw
Posted on July 20, 2009
Opening a new browser out side any AIR application will dispose the url variables on the browser.
Although it’s not 100% logical to put this claim on AIR applications because that is meant for desktop application and have least relation with external browsers, it’s an issue that you may get some time while launching any external browser( ‘external’ means not inside AIR application itself). This problem creates security flaws when you are opening a browser against some authenticated data or session. Even if use ‘post’ method to send the urlvariables, they wont be hidden on the browser.
Here is one example where you can find such trouble.
-
<?xml version="1.0" encoding="utf-8"?>
-
<mx:WindowedApplication xmlns:mx="http://www.adobe.com/2006/mxml" layout="absolute">
-
<mx:Button x="399" y="305" label="Button" click="getUI()" />
-
-
<mx:Script>
-
<![CDATA[
-
private function getUI():void{
-
var re:URLRequest=new URLRequest("http://localhost/url/check.php");
-
re.method=flash.net.URLRequestMethod.POST;
-
-
var urlv:URLVariables=new URLVariables;
-
urlv.desc=5;
-
re.data=urlv;
-
navigateToURL(re,"_self");
-
}
-
]]>
-
</mx:Script>
-
-
</mx:WindowedApplication>
When you run this example it will open a browser and will show the variable name and value where as if you write the same sort of code in for web application it would not show the ‘desc=5′ in the browser.
A sample piece of same code is given below which is implemented for a mouse click event on button.
-
abc_mc.addEventListener(MouseEvent.CLICK, ola);
-
-
function ola(e:MouseEvent):void{
-
var re:URLRequest=new URLRequest("http://localhost/url/check.php");
-
re.method=flash.net.URLRequestMethod.POST;
-
-
var urlv:URLVariables=new URLVariables;
-
urlv.desc=5;
-
re.data=urlv;
-
navigateToURL(re,"_blank");
-
}
The php code used in the test is as follows:
-
<?
-
$test=$_REQUEST[‘desc’];
-
echo $test;
-
?>
-
So be sure you should never pass any data while opening some browser.
Comments
Leave a Reply
Keep-in-touch
