Flash is more secure than anticipated…

Posted by Steve Hanna on March 25th, 2007 filed in Technical Tags: , , , ,

After reading about some work regarding puppetnets, I thought it would be a good idea to investigate the possibility of using Flash applications for my own nefarious deeds. I learned that Flash now supports sockets of the TCP variety (with Flash 9 and AS3) so of course my head was spinning with the possibilities. After finding an example that did some port scanning I decided that I would try my hand at writing some client server code and see exactly what I could do. Everything was working very well within the flash development environment and I was complementing myself on my realization at how easy it would be to use this in many, many situations of less than noble intentions. However, hubris kicked in and I realized that I had forgotten to test it within a browser. As soon as my code executed, I got errors about violating the security sandbox. I guess I should have given the Flash developers a bit more credit. Oh well, back to the drawing board.

Leave a Comment