Flash 101

Flash is a rich content, video, animation technology for web-apps. Flash logic is written in ActionScript, which has a similar syntax to JS but is a compiled language.

Flash Decompilers:

Flash Embeds:

Using the Object tag Flash can be embedded in HTML:

<object type="application/x-shockwave-flash" width="700" height="450">
    <param name="movie" value="Animation.swf"/>
    <param name="allowScriptAccess" value="never"/>
    <embed src="Animation.swf" width="700" height="450"/>
</object>

AllowScriptAccess Attributes:

• Always: The script can communicate with the HTML regardless of domain.

• sameDomain: The SWF file must share the domain if it is to communicate with the HTML

  • //Default setting (domain sandbox)

• Never: The SWF file can never communicate with the HTML

Passing arguments to Flash files:

• Direct Ref: Standalone flash files(not embeded) can accept params in the URL and when the swf file is loaded a dummy html page is made to host it via a &redirect=http://site.com

• Data atrb: When the flash file is embedded, arguments are passed in the data attribute within the object tag.

• FlashArgs: For embedded flash files, a <param> sub tag can also be used to pass args as seen: <param name="FlashArgs" value="name=Mike&redirect=http:/site.com" />

Flash Stakeholders:

• Administrative Role: The installer of Flash Player to the server. They config the security settings for all users.

  • system32\Macromed\Flash\mms.cfg: config file read at Flash startup. Contains access restrictions and features.

  • Global Flash Player Trust Directory: SWF files that are registered as globally-trusted, can load data from local and remote locations and interact with other swf files.

• User Role: The user who Flash Player is running under.

  • Has User lever Trust Directory

• Website Role: This is the webapp level enforcer of flash loading/access policies.

  • Policy file: crossdomain.xml , Typically in the web root

  • SWF files located on external domains use this policy file look up to decide if they can try to access contents. Security.loadPolicyFile()

• Author Role: The developer of the SWF. This user can effect the built in interaction behavior of the animation between different domains. Security.allowDomain(<alloweddomains>). This is a implicit deny.

Flash Connection:

• Document Server Connect

  • Loader(file loads)

  • Sound

  • URLLoader(text or bin data)

  • URLStream

• Socket Connection

  • ActionScript Socket

  • XMLSocket

ActionScript Call to JS:

Using the ExrternalInterface.call() function, AS can call JS functions:

JavaScript Call to AS:

Using the getFlashMovie() function, JS can make calls to AS functions:

AS, Open external SWF in embedded window:

navigateToURL(URLRequest, <target>) The function can also run JS directly from it after loading the swf, such as: javascript: alert('alert');

Local Shared Objects:

Are the equivalent to cookies but for flash. Have SOP-like rules and can track users. They are not exchanged over HTTP and never expire. All browsers on a system share the same flash object jar. Win7 Path: c:\Users\<user>\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\

Create or fetch a local shared object with the following: var myCookie:SharedObject = SharedObject.getLocal("information"); If the information object exists it will fetch and store it to myCookie other wise it will create myCookie and it will be empty.