6

I have an application developed in flash, and I need to access some php files. so the php file return some data if the access is came from swf. How can i identify if the request came from flash or not?

without passing get/post variables to php.

coderex
  • 27,225
  • 45
  • 116
  • 170
  • I'm in a similar situation. Basically there is no 100% sure fire way since any encryption needs to be in the SWF which is sent to the client. Similar to how DRM works on DVDs. If you give the keys to the user, they can find a way. – Jack Marchetti May 14 '14 at 17:04

4 Answers4

1

User agent/Referer possibly. Keep in mind that requests can easily be forged

Robus
  • 8,067
  • 5
  • 47
  • 67
  • how is it possible, can you give me an example. I tried but I got the user agent as Mozilla.. :( – coderex Jul 23 '10 at 13:48
  • 1
    For security reasons, Flash can't send user-agent headers when it makes a URLRequest. It uses the existing user-agent of the browser it's running in. – nerdabilly Jul 23 '10 at 13:53
1

I don't think there really is a reliable way of detecting whether Flash made the request. Flash doesn't allow you to set the user-agent, and there are a lot of restrictions on what headers can be set.

Take a look at http://help.adobe.com/en_US/AS3LCR/Flash_10.0/flash/net/URLRequestHeader.html

as John Ballinger suggested, you could set your own header using this and look for that header in the PHP page.

nerdabilly
  • 1,248
  • 4
  • 15
  • 34
1

This is in response to John Ballinger's answer:

import flash.net.URLLoader;
import flash.net.URLRequest;
import flash.net.URLRequestHeader;

var loader:URLLoader = new URLLoader();
var request:URLRequest = new URLRequest("http://www.mydomain.com/myapp.php");
var header:URLRequestHeader = new URLRequestHeader("custom-header-name", "value");
request.requestHeaders.push(header);
try {
    loader.load(request);
} catch (error:Error) {
    trace("Unable to load requested document.");
}

You must also make sure to modify your crossdomain.xml to allow http headers as follows:

<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
    <allow-access-from domain="*.mydomain.com" />
    <allow-http-request-headers-from domain="*.mydomain.com" headers="*" />
</cross-domain-policy>
Community
  • 1
  • 1
Rudisimo
  • 342
  • 1
  • 12
  • 2
    Alert: this tells you that Flash/hacker send you the headers, but doesn't tell you which one! If you wish to strongly secure channel and enforce only swf calls, then you have to use encryption (where key would be loaded in obfuscated swf) or SWFVerify feature and tunnel your request via Flash Media Server – mizi_sk Jun 11 '11 at 12:55
  • True, but the OP is just asking for a simple identification technique. This is definitely not the way to implement a secure transaction originating from a Flash application. – Rudisimo Jun 28 '11 at 14:05
  • of course, I like your simple way (thus I did +1 your answer), if this is what suffice for OP, than it's ok, I just wanted to warn that this is not secure – mizi_sk Jun 29 '11 at 09:02
0

You cannot tell that it is coming from flash as flash actually uses the browser to do the request.

But in your flash request you could add your own header to the HTTP request (you can do this pretty easily in flash). That way you can see if the request is coming from Flash.

John Ballinger
  • 7,380
  • 5
  • 41
  • 51