Archive for December, 2009

19
Dec

Adobe closed major security concerns with Flash Player 10.0.42.34 however these changes may effect the ability to access swfs when setting Security.allowDomain

By elad.ny Comments
Categories: Flex and Security

It appears that Adobe closed some major security concerns with Flash Player 10.0.42.34 see here, however I believe these security concerns have changed the ability to access swf when setting Security.allowDomain.

ASDOC says:

“If two SWF files are served from different domains — for example, http://siteA.com/swfA.swf and http://siteB.com/siteB.swf — then, by default, Flash Player does not allow swfA.swf to script swfB.swf, nor swfB.swf to script swfA.swf. A SWF file gives SWF files from other domains by calling Security.allowDomain(). This is called cross-domain scripting. By calling Security.allowDomain(”siteA.com”), siteB.swf gives siteA.swf permission to script it.” > see here.

In the example below I am creating the example ASDOC is describing. I will create two application which will be hosted on two separate domain names, however I am unable to change properties in the accessed application, see detail below:

Accessed application will holds a label and set the Security.allowDomain to wild card (*) so any application should be able to load this swf and change properties. See below:


<Application xmlns:fx="http://ns.adobe.com/mxml/2009"
			   xmlns:s="library://ns.adobe.com/flex/spark"
			   xmlns:mx="library://ns.adobe.com/flex/halo"
			   minWidth="1024" minHeight="768" preinitialize="application1_initializeHandler(event)">
	<fx:Script>
		<![CDATA[
			import mx.events.FlexEvent;

			protected function application1_initializeHandler(event:FlexEvent):void
			{
				Security.allowDomain("*");
			}

		]]>
	</fx:Script>

	<Label id="label" text="Hello from accessed application!"  x="8" y="9"/>

</s:Application>

The second application (accessing application) will be hosted on a separate domain and load the accessed swf and change the label property:


<Application xmlns:fx="http://ns.adobe.com/mxml/2009"
			   xmlns:s="library://ns.adobe.com/flex/spark"
			   xmlns:mx="library://ns.adobe.com/flex/halo"
			   minWidth="1024" minHeight="768"
			   initialize="initializeHandler()">
	<fx:Script>
		<![CDATA[
			import mx.controls.Alert;
			import mx.events.FlexEvent;

			// define variables
			private var loader:Loader;
			private var content:*;

			// load swf
			private function initializeHandler():void
			{
				loader = new Loader();
				loader.contentLoaderInfo.addEventListener(SecurityErrorEvent.SECURITY_ERROR, securityErrorHandler);
				loader.contentLoaderInfo.addEventListener(Event.COMPLETE, loadContent_onComplete);
				loader.contentLoaderInfo.addEventListener(IOErrorEvent.IO_ERROR, ioErrorHandler);
				loader.load(new URLRequest("http://zeen.com/temp/bin-debug/AccessedApplication.swf"));

				component.addChild(loader);
			}

			// Event Handler

			private function loadContent_onComplete(event:Event):void
			{
				content = event.target.content;

				var onContentApplicationComplete:Function = function(event:Event):void
				{
					// content loaded successfully
				}

				content.addEventListener(FlexEvent.APPLICATION_COMPLETE, onContentApplicationComplete);
			}

			private function ioErrorHandler(event:IOErrorEvent):void
			{
				loader.contentLoaderInfo.removeEventListener(IOErrorEvent.IO_ERROR, ioErrorHandler);
				Alert.show(event.text);
			}

			private function securityErrorHandler(event:SecurityErrorEvent):void
			{
				loader.contentLoaderInfo.removeEventListener(SecurityErrorEvent.SECURITY_ERROR, securityErrorHandler);
				Alert.show(event.text);
			}          

			// methods to access loaded swf

			private function callAccessedApplication():void
			{
				this.content.document.label.text = "label change!";
			}

		]]>
	</fx:Script>

	<mx:UIComponent id="component" width="400" height="82" x="11" y="43" />

	<Button label="Call accessed application"
			  click="callAccessedApplication()" x="84" y="0"/>   

</s:Application>

I also have set the cross-domain policy on the accessed applciation server to allow access:


<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>

The swf is loaded successfully, but with a warning alert. Additionally, I am unable to change the label properties on the accessed application, see screen shot below:

screen-shot-2009-12-19-at-71327-pm

The application is hosted here:
http://eladelrom.com/bin-debug/AccessingApplication.html

I am hoping to get a clarification: https://bugs.adobe.com/jira/browse/FP-3513

10
Dec

Lightweight Ant script extensions generator for Robotlegs following best practices.

By elad.ny Comments
Categories: Architecture

RobotLegs is one of the newest AS3 Micro-Architecture framework out there and to help folks that are starting with Robotlegs, as well as make life easier for current Robotlegs users, I have created Ant script extensions that generate most of the code you need in order to work with RobotLegs following best practices.

robotlegssketchsmall

The Ant tasks will generate the following:

  • Robotlegs Folder structure.
  • Robotlegs libraries and source code
  • Automatic ThunderBolt integration to each user-gesture.
  • Creating VO.
  • Add event command user gesture
  • Add startup command
  • Add main class and Context class
  • Create model class
  • Create service class
  • Create view and mediator combo
  • Move libraries and source code to project lib

You can download the Ant tasks from GitHub:
http://github.com/EladElrom/robotlegs-utilities-AntGenerator

Feel free to add these tasks to your arsenal.. Cheers :)

09
Dec

Top security threats to Flash/Flex applications and how to avoid them - series on InsideRIA

By elad.ny Comments
Categories: Security

Just published the 1st article In the series of articles I will be posting on InsideRIA in regards to Flash/Flex security. The intention of these articles is for you to gain knowledge about security in regards to Flash and Flex applications. In each article I will be covering specific security vulnerabilities, showing examples of how an attacker can abuse Flash/Flex applications, and pointing out ways to help prevent these attacks. The purpose of these articles is to increase awareness so you will take security into consideration when building your applications.

flashsecurity

See the first article that talks about Cross-domain Scripting threat here:
http://www.insideria.com/2009/12/top-security-threats-to-flashf.html

01
Dec

RIABeardOff - charity event for members of the RIA community

By elad.ny Comments
Categories: Annouchments

In case you didn’t hear, Chuck Freedman started an amazing and generous event called RIA Beard Off. The event is a charity event for members of the RIA community to grow beards and raise money for Marine Toys for Tots Foundation.

I decided to help out and I stopped shaving last Monday. We are looking to reach at least $2,000, but hopefully more, so to entice you to donate I decided to give away prizes.

This is what you need to do: make a donation to #RIABeardoff and mention my name when you make the donation and two lucky people will win the book I co-authored click here to view. The book will be shipped to your preferred address.

In addition to the two books, I am also going to give away a 3rd prize, which is going to be a surprise. Make a donation now! http://firstgiving.com/riabeardoff

    TIMELINE:

  • 11/23 - Monday - Bearder registration starts
  • 11/27 - Friday - Bearder registration ends, Open donations start!
  • 11/30 - Monday - First of many, frequent beader snapshots posted!
  • 12/14 - Monday - Last Bearder update posted!
  • 12/15 - Tuesday - Bearding ends. Bearders can shave & move on with their lives.

Here is the list of the generous Flash developers that agreed to stop shaving:

LordAlex Leon
Stacey Mulcahy ( BitchWhoCodes)
Bernie & Erikka Perkins
Mims H. Wright
Scott Janousek
Chris Allen
Curt Staubach (@curtStaubach)
Paul Gregoire (@mondain)
@BenStucki
Todd Anderson (@bustardcelly)
Robert Hall (@rhall)
Joseph Labrecque (@JosephLabrecque)
Jesse Freeman (@theflashbum)
Kevin Suttle (@kevinSuttle)
Brian Connatser (@connatser)
Elad Elrom (@EladElrom)
Chuck Freedman (@chuckstar)

I want to point out that some have actually shaved beards that were years old, like Robert Hall and Scott Janousek.

This is a great cause and every donation counts, so please donate!

01
Dec

Test Driven Development using Flash Builder 4 beta and FlexUnit on Devnet

By elad.ny Comments
Categories: Testing

There has been a great deal of interest in TDD (and unit testing in general) recently, because it leads to applications that are easier to scale and maintain and less prone to errors. I just published an article on Devnet that covered unit testing and Test Driven Development using Flash Builder 4 and FlexUnit, including some of the new features in the FlexUnit 4 framework.

Check it out here:
http://www.adobe.com/devnet/flex/articles/flashbuilder4_tdd_02.html