为了确保Ajax请求，Ran酒吧-ZIK sugested 以创建一个小的flash文件来接收数据，SALT，并将其与MD5，比将它发送到服务器，攻击者能够看到的数据，但它是加密的加密。有谁谁做，这将要共享的code与世界？感谢： - ）

In order to secure Ajax requests, Ran Bar-Zik sugested to "create a small flash file to receive the data, SALT it and encrypt it with MD5. Than sent it to the server. The attacker is able to see the data but it is encrypted." Does anybody who has done this would want to share the code with the world? Thanks :-)

推荐答案

陶然吧，ZIK是错误的。他提出的安全系统违反了 CWE-602 并为（在）< A HREF =htt​​p://en.wikipedia.org/wiki/Security_through_obscurity相对=nofollow>安全，虽然默默无闻。

Mr Ran Bar-Zik is mistaken. The security system he has proposed violates CWE-602 and is "(in)security though obscurity".

在短的问题是，服务器提供数据给客户端应用程序。客户端可以为所欲为。他可以修改JavaScript code或截取和修改使用TamperData或打嗝代理的所有通信。 Flash应用程序可以被反编译，并存储在内存中的所有秘密，能与像 OllyDbg的调试器来获得。 有没有办法解决这个问题。

In short the problem is that the server is providing data to a client side application. The client can do whatever he pleases. He can modify the javascript code or intercept and modify all communications using TamperData or Burp Proxy. A flash application can be decompiled and any secrets stored in memory can be obtained with a debugger like ollydbg. There is no solution to this problem.