tags:

views:

41

answers:

1
Q: 

Whats a valid strategy for a secure image upload from a flash client?

Hi all -

I'm creating a flash application that will post images to a url for saving to disk/display later. I was wondering what are some suggested strategies for making this secure enough so that the upload is verified as coming from the application and not just some random form post.

Is it reliable enough to check referring location realizing that I don't need bulletproof security, or perhaps setting authentication headers is a better strategy even though it seems unreliable from what I have read.

The application and the server script will reside on the same domain and is in java - is there a way to check for a 'session' or something like that?

Another thought I had was some sort of simple hashed key type system, I could hard-code a key into the flash application and pass something to the server based on that - the server would also know this key and be able to verify if the value passed was based on that?

Thanks for any advice and especially any examples - I am naive in this area -b

The app is a public app, so authenticating users is not an option. After more research I am thinking about using a hard coded salt key on both ends, then sending an MD5 hash of the base64 encoded image bytearray+salt to be matched on the server side. Any thoughts on this strategy?

A: 

Your question can be generalized to 'How can I be sure the image is uploaded through my (flash) application?'. Answer is, it can't. No matter what you do, a determined person can reverse engineer your application or watch the http traffic, and then use that information to create another client (applet/silverlight/html form/standalone program) to upload files to the server. At best, you can obscure to make things difficult. But that's not security.

Instead, you should be asking 'How can I be sure the image has been uploaded by an authorized person?'. This one is possible. The user has to authenticate over https, and then upload the file. Read OWASPs guide to session management for more information on how to solve this problem.

sri  2010-04-27 05:15:29
Hi - thanks for the response. I realize that I can never truly secure the application, and it's not necessary - I'm trying to just implement a small level of security through hassle so that the server side doesn't just save any image it is presented with.The app is a public app, so authenticating users is not an option.After more research I am thinking about using a hard coded salt key on both ends, then sending an MD5 hash of the base64 encoded image bytearray+salt to be matched on the server side.Any thoughts on this strategy?
WillyCornbread  2010-04-27 12:45:45
Encoding the image data plus a salt value and sending it as a "challenge" sounds like a good option, given your requirements, and its easy enough for the client and the server. For the MD5 on the AS side, you can use any of these libraries (there are sure others, but these are kind of standard): http://code.google.com/p/as3corelib/ or http://code.google.com/p/as3crypto/.
Juan Pablo Califano  2010-04-28 18:29:26

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security