This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "RIA Security Smackdown"
From OWASP
| Line 8: | Line 8: | ||
* JFX (Sun Java) | * JFX (Sun Java) | ||
* Silverlight (Microsoft) - .NET Applets that run inside the browser, no privileged code | * Silverlight (Microsoft) - .NET Applets that run inside the browser, no privileged code | ||
| − | * | + | *Google Gears - local storage component with JavaScript API (Same Origin all the way down) |
* AIR (Adobe - formerly Apollo) - VM that runs Flash, Shockwave movies, ActionScript, JavaScript, FLV | * AIR (Adobe - formerly Apollo) - VM that runs Flash, Shockwave movies, ActionScript, JavaScript, FLV | ||
| Line 21: | Line 21: | ||
* Is there sharing of data between users? Download someone else's data into your application? | * Is there sharing of data between users? Download someone else's data into your application? | ||
* How do you separate code from data? Does any data contain anything that might get interpreted? HTML, XML, JSON, Javascript, ??? | * How do you separate code from data? Does any data contain anything that might get interpreted? HTML, XML, JSON, Javascript, ??? | ||
| + | * How does data move between the RIA and the server? Is it just data or is embedded code possible? | ||
* How do you separate one app from another app within the VM (same for DB) | * How do you separate one app from another app within the VM (same for DB) | ||
* What happens when you move outside the browser? You lose the protection that the browser sandbox afford. | * What happens when you move outside the browser? You lose the protection that the browser sandbox afford. | ||
* Mashups? | * Mashups? | ||
* Connections between an RIA and an app running inside the browser (to steal SESSION) | * Connections between an RIA and an app running inside the browser (to steal SESSION) | ||
| − | + | * What level of interaction is allowed with the browser and the DOM? Is there an API to interact with DOM? Can you interact with other components in the DOM? | |
| + | * How is interaction with native code allowed? | ||
| + | * How is interaction with the code of the RIA platform allowed? Can you modify platform (Backbase) | ||
| + | * How is information passed to the VM to restrict its behavior to comply with the Same Origin Policy | ||
| + | * Protected against DNS pinning? Use TLS Certificates? | ||
==References== | ==References== | ||
Revision as of 23:56, 23 August 2007
Notes from the OWASP Washington chapter meeting where we discussed:
- FLEX (Adobe) - development environment for Flash Apps
- Flash Studio for movies
- Java Applet
- Flash 7
- JFX (Sun Java)
- Silverlight (Microsoft) - .NET Applets that run inside the browser, no privileged code
- Google Gears - local storage component with JavaScript API (Same Origin all the way down)
- AIR (Adobe - formerly Apollo) - VM that runs Flash, Shockwave movies, ActionScript, JavaScript, FLV
Threat Agents
- Threat from external attackers
- Threat from malicious developers (sandbox?)
Basic Problems
- Anyone going to this model will have to deal with how to handle sensitive information and sensitive functions on the client.
- Is there sharing of data between users? Download someone else's data into your application?
- How do you separate code from data? Does any data contain anything that might get interpreted? HTML, XML, JSON, Javascript, ???
- How does data move between the RIA and the server? Is it just data or is embedded code possible?
- How do you separate one app from another app within the VM (same for DB)
- What happens when you move outside the browser? You lose the protection that the browser sandbox afford.
- Mashups?
- Connections between an RIA and an app running inside the browser (to steal SESSION)
- What level of interaction is allowed with the browser and the DOM? Is there an API to interact with DOM? Can you interact with other components in the DOM?
- How is interaction with native code allowed?
- How is interaction with the code of the RIA platform allowed? Can you modify platform (Backbase)
- How is information passed to the VM to restrict its behavior to comply with the Same Origin Policy
- Protected against DNS pinning? Use TLS Certificates?
References
AIR - http://www.flashsec.org, http://www.wisec.it.en/Docs/flash_App_testing_Owasp07.swf
Criteria
- Cross platform
- Local File system access
- Network access
- Built-in Database
- HTML
- JavaScript
- Support for cross-domain policy (crossdomain.xml)
- Windowing
- Drag and Drop
Organizations have been rated on the following five characteristics:
- 1. Adobe AIR
- The
- 2.
- The
- 3. Flex
- The
- 4. Flex
- The
- 5. Flex
- The
Scoring
| RIA Framework | 1. Awareness | 2. Requirements | 3. Verification | 4. AppSec Team | 5. Response | Score |
|---|---|---|---|---|---|---|
| Full | Full | Full | Full | Full | 10 | |
| Oracle | Full | None | Partial | None | Full | 5 |
| Foobar | Full | Full | Full | Full | Full | ? |
