tags:

views:

562

answers:

3
Q: 

How to protect swf files from being view?

Hi, I have couple of .swf games files uploaded to my server. I want to run some test, but I dont want to expose or let public/others people to see our swf files. Currently, if I type:

www.domain.com/games/game1.swf

It will play the swf file.

I tried to visit some other flash game based websites. When I visit one of the swf files (e.g www.xxx.com/folder/flash.swf), it would redirect me to the homepage (www.xxx.com)

Is this the correct way to prevent public people to view my swf files?

There are a lot of swf-to-fla decompiler third party software, will my swf files secured?

Will my swf files being hacked/stolen (code and graphics)?

Once your swf files being hacked, will my website safe from web attacks?

How to secure swf files?

Please help

+1  A: 

You have a lot of questions here.

When I visit one of the swf files ... it would redirect me to the homepage ...

I would suspect this is implemented by checking the 'HTTP_REFER', when loading the .SWF page. You could do this if you like.

Is this the correct way to prevent public people to view my swf files?

No. Depending on what server you're running, you should put some authentication on the folder '/TestSwfs', and then upload all your swfs to there, and you will need to log in first. Fairly simple to do this in both IIS and Apache, but let us know which one you are running.

There are a lot of swf-to-fla decompiler third party software, will my swf files secured?

I suspect not. There are probably SWF Obfuscators though, but they can still be reversed.

Once your swf files being hacked, will my website safe from web attacks?

It shouldn't matter. You should not be inlcuding secrets/passwords in your SWFs that you don't want to be public. You may be writing high-scores, and you can step up the complexity required by doing some crypto, or other such things, but really, for just high scores, it's probably not important.

Design your SWF code so that even if it was public, your server would be safe.

Noon Silk  2009-08-25 07:25:51
Thanks for the quick response. 1. Checking HTTP REFER? What do you mean?2. I am using IIS. And yes, I need to login before the game can start. Every game swf files, i do a login check whether the user is logged in?? Is that what you mean?3. I see. i agree with you4. My password are store in database (mysql) and php is the middleman5."Design your SWF code so that even if it was public, your server would be safe" abit hard to digest..
 2009-08-25 07:32:59
1. You check this field in code. I assume you're not a web programmer? It's going to be a bit difficult for you to implement this all properly then ...
Noon Silk  2009-08-25 07:41:48
To do the folder-security thing in IIS, start->run->`inetmgr` then find the folder, right click, properties, and uncheck 'anonymous access', then you can look at the 'authenticated access' options you have. i'd go with integrated windows, so just use a windows account with appropriate privileges.
Noon Silk  2009-08-25 07:43:43
1. do a simple check like this: if ( eregi ( "www.mysite.com", $_SERVER['HTTP_REFERER'] ) ){ then let it view my swf }is that what you mean? I am using php though
 2009-08-25 07:48:55
tried uncheck 'anonymous access', but i still can run the swf files without login. Hmmmm... do i need to restart my server? (I dont think so)
 2009-08-25 07:54:01
And did you then check [x] integrated windows? it works for me. check it again.
Noon Silk  2009-08-25 12:15:23
A: 

One additional point to Silky's answer.

You should implement REST Api correctly in your SWF, that will assume that even if someone can hack your swf (which is very easy), the can not login to your server and manipulate any data or bring it down.

You should never directly alter database by using direct apis, you should always use webservices instead of database connectivity tools.

Akash Kava  2009-08-25 07:29:53
A: 

To protect swf use these steps

  • Use Actionscrip obfuscator like SWF Protector from DComSoft
  • Server side protection by using htaccess URL rewrite and hotlink preventing rules that will hide/mask the URL to your SWF
  • You may try Encryption with As3crypto library
  • Load SWF at Runtime. Just embed an SWF as a ByteArray into the loader SWF and it can be loaded through Loader.loadBytes().
Alex  2010-05-17 10:22:57

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security