I'll discuss here hacking into socket apps. It doesn't really require Flash to do it, but the stakes are higher here, usually significant money are involved.
Hack 1: Get an account into the system
Vulnerability: Weak overall security model.
Method: Sniff the data passed on connection. Or adapt the hack described here for socket.
If the connection is not crypted and they usually are not, you can intercept everything on it. Just look for the tools to do that.
Protection against hack: There are various methods here:
1. Exchange credentials via https. Then use an authentication key for every future message. Unfortunately this alone is not sufficient as you will see on hack 2 bellow.
2. Use an encrypted connection. Flash Media Server supports this feature. I don't recommend implementing your own encryption, since the benefits are too small and security increase not that significant.
Hack 2: Hijack an existing connection
Vulnerability: Weak overall security model.
Method: You'll need to control a network node for this. Replace the original client (the client end of the connection) with your own.
Socket connections are not that continuous as they seem. The hijack won't be detected by both server and client unless some tricks are developed especially for this. The hijacker can be a half proxy, half illegitimate app. Can bypass basic checks like unique auth keys per message. You just have to decompile the original client and use the code sequence to encrypt the keys.
Protection against hack: SSH mixed with unique auth keys per message will make hacker's life so hard he will probably quit. Also implement intrusion detection for both client and server. Most probably the client will be completely blocked for paralel distress connections, the hacker simulating a network failure, but the server can implement a policy for this.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment