/blog Web Application Security and Other Stuff Mon, 23 Jun 2008 01:33:12 +0000 http://backend.userland.com/rss092 en As3Crypto has been open-source from the start, but the development, iteration and feedback process isn't quite as open and collaborative as it should be. There is this one guy controlling every aspect of it, hiding his precious source code until he deems it ready for another release, and generally being way ... /blog/2008/06/22/security/as3crypto-is-now-open-well-more-open/ A couple years ago, I wrote this little Java Explorer script that used Liveconnect to inspect available Java classes. It included a little console that made it easy to play with those classes and their members to see what they seemed to do. More recently, when the Flash Player 10 beta ... /blog/2008/05/28/security/flash-10-api-explorer/ Here we go. ESC is far along enough to start treating it like a working ecmascript compiler. Combined with my little JSObject hack and some glue, you end up with something that gives you a taste of things to come. So here is ScreamingDonkey. Not to be confused with ScreamingMonkey, a ... /blog/2008/05/19/web/screamingdonkey-tomorrows-browser-scripting-today-kinda/ I've grabbed some recent .abc binaries from the Mozilla Tamarin repository. The ESC project is moving along quite nicely apparently, as this version is able to compile a lot more constructs. For example, it has enough namespace support to let scripts access objects located in other packages (see the sample ... /blog/2008/05/17/web/as3-eval-updated/ My work life has been very distracting these past few months. I'm not quite out of the woods yet, but things should calm down a bit over the next few weeks, which should give me a chance to have some fun here again. My apologies to folks reporting bugs or asking ... /blog/2008/03/12/sadness/still-alive/ Back in the days, Netscape created this neat layer of glue called LiveConnect. Among other things, it would expose javascript objects to Java through a JSObject class. Fast forward to ActionScript. ExternalInterface provides a way of eventually doing the same thing. Things like FABridge make things somewhat friendlier, but FABridge only ... /blog/2008/01/04/web/jsobject-its-not-just-for-java-anymore/ Over a year ago, Adobe open sourced Tamarin, and there was much rejoicing. As part of the source drop, Adobe included an actionscript compiler written in actionscript. A few folks noticed that it sounded a whole lot like an "eval()" method, and thought that once the good folks at Mozilla and Adobe ... /blog/2008/01/02/flash/eval-and-actionscript/ If you missed it, an Adobe engineer, Scott Petersen, gave a talk at Chicago Max a couple of months ago, showcasing some crazy side project of his, that allows him to run c/c++ code on top of an unmodified Flash player. This has various implications, one of which is one could ... /blog/2007/12/01/flash/flash-on-cc/ Apparently, ActionScript 2 isn't dead yet. While I anxiously await the day popular gizmos like the Wii or the iPhone get to run as3 bytecode, there are apparently still legitimate reasons to want to code with As2. There already are various chunks of code out there to encrypt stuff with As2, the ... /blog/2007/11/29/security/backport-of-some-as3crypto-stuff-to-as2/ There we go, Flash now has a TLS 1.0 implementation written entirely in ActionScript. In spite of my previous post, I didn't feel right releasing something that didn't have a shot at protecting against Man-in-the-middle attacks, so I took a few more days to implement some X.509 certificate parsing and validating. This ... /blog/2007/11/19/security/as3crypto-13-is-out-tls-support-is-in/