Adobe Flash Builder 4 provides new tools and features that allow you to quickly create applications that access data services. These features let you easily prototype an application built with Flex that uses web services to access a database. The intent of these features is to provide quick prototyping of applications within a trusted network environment.  

The sample code generated by Flash Builder tools, and also used in Flash Builder documentation, protect against SQL injection. However, there are several additional threats that the developer must address before considering the application production ready. The developer is responsible for addressing the following areas in production applications:

  • Removing unneeded functionality
  • Authentication and authorization
  • Data validation
  • Secure transport

Remove unneeded functionality

The first step to securing your application is to remove any unneeded functionality. 

For example, it's possible that your application requires only a SELECT statement to select data from the database. However, Flash Builder auto-generates methods for INSERT, SELECT, UPDATE, and DELETE statements. Delete the auto-generated code for INSERT, UPDATE, and DELETE. You do not want to risk an attacker deleting or altering the data in your database. 

Another way to limit scope is to limit the data that the web services return. By default, the auto-generated code within Flash Builder selects all fields from the database. 

For example, if you select data from a user table that includes passwords, then the auto-generated SELECT statement returns all user data, including passwords. As a rule, never implement functionality that returns the end user's password to the client. Change the SELECT statement to retrieve only the fields from the user table that you actually need.

Authentication and authorization

After removing excess functionality, add authentication and authorization checks. Authentication ensures that only trusted users are accessing the data within the database. Use authorization to ensure that trusted users can only retrieve their own data.  

For example, suppose that you have authenticated both customer A and customer B as valid users within the system. However, authentication for customer A does not address whether Customer A has the authority to query the database for customer B’s data. It's necessary to provide separate authorization controls to limit Customer A’s access to Customer B’s data. Make sure that you add both authentication and authorization controls before deploying an application built with Flex to the web.

Data validation

While the techniques that Flash Builder uses for SQL queries help mitigate the risk of SQL injection, still perform data validation. For example, if your application stores the amount of a transaction, then validate that the amount provided is a positive number. Also make sure that it is within a reasonable range for the products that you sell. 

Secure transport

Finally, the developer should consider whether the information sent and received from the database requires an encrypted connection.  If the data is considered sensitive by laws or standards, such as HIPPA or PCI, then ensure that SSL protects the connection between the SWF file and the server.  The default service connection set by Flash Builder connects over HTTP, which is an unencrypted connection.  By using SSL, you can ensure that attackers can't intercept and view your customer’s data.

Summary

Flash Builder tools and features allow the developer to create a quick prototype to demonstrate proposed functionality using information from a live database.  However, the generated code is not intended for production use without additional development on both the client and server side.  Developers are responsible for adding these additional security controls to ensure that malicious users cannot manipulate this functionality to control your database and application.

 

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy