This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "RIA Security Smackdown"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 
Notes from the OWASP Washington chapter meeting where we discussed:
 
Notes from the OWASP Washington chapter meeting where we discussed:
  
* FLEX (Adobe) - development environment for Flash Apps
+
* Java Applet - very old technology, runs in sandbox
* Flash Studio for movies
+
* Flash 7 - old flash movie environment
 
+
* JFX (Sun Java) - New scripting language compiles to bytecode, runs via Java Web Start
* Java Applet
 
* Flash 7
 
* JFX (Sun Java)
 
 
* Silverlight (Microsoft) - .NET Applets that run inside the browser, no privileged code
 
* Silverlight (Microsoft) - .NET Applets that run inside the browser, no privileged code
 
* Google Gears - local storage component with JavaScript API (Same Origin all the way down)
 
* Google Gears - local storage component with JavaScript API (Same Origin all the way down)
 
* AIR (Adobe - formerly Apollo) - VM that runs Flash, Shockwave movies, ActionScript, JavaScript, FLV
 
* AIR (Adobe - formerly Apollo) - VM that runs Flash, Shockwave movies, ActionScript, JavaScript, FLV
  
==Threat Agents==
+
==Threat Agents to Consider==
  
 
* Threat from external attackers
 
* Threat from external attackers
* Threat from malicious developers (sandbox?)
+
* Threat from malicious developers
 
 
  
 
==References==
 
==References==
Line 22: Line 18:
  
 
==Results==
 
==Results==
 
 
==Basic Problems==
 
  
 
Key
 
Key
* (A) - Allowed
+
* (Y) - Allowed by RIA framework
 +
* (LF) - Limited by framework
 +
* (LSO) - Limited by same origin policy
 
* (LD) - Limited by developer
 
* (LD) - Limited by developer
 
* (LU) - Limited by user
 
* (LU) - Limited by user
* (D) - Denied
+
* (N) - Denied by RIA framework
  
 
+
{|class="wikitable sortable" style="text-align:left;" width="100%"
 
 
 
 
 
 
 
 
 
 
{|class="wikitable sortable" style="text-align: center;" width="100%"
 
 
|-
 
|-
! style="text-align:left" RIA Framework
+
! RIA Framework
 
! width="10%" | Java Applet
 
! width="10%" | Java Applet
 
! width="10%" | Adobe Flash
 
! width="10%" | Adobe Flash
Line 49: Line 38:
 
|-  
 
|-  
 
| '''Persistence''' - Does the RIA framework allow data to be persisted in the client?
 
| '''Persistence''' - Does the RIA framework allow data to be persisted in the client?
| A
+
| N
| A
+
| LF
| A
+
| LSO
| A
+
| LD
| A
+
| LD
| A
+
| Y
|-
 
| '''Roles''' - Does the RIA framework enable multiple roles to use the same client?
 
| A
 
| A
 
| A
 
| A
 
| A
 
| A
 
 
|-  
 
|-  
| '''Sharing''' - Does the RIA framework allow sharing of data?
+
| '''Sharing''' - Does the RIA framework allow uploading data?
| A
+
| N
| A
+
| N
| A
+
| ?
| A
+
| LD
| A
+
| ?
| A
+
| Y
 
|-  
 
|-  
 
| '''Exchange''' - Does the RIA framework use data formats that scramble data and code (HTML, JSON)
 
| '''Exchange''' - Does the RIA framework use data formats that scramble data and code (HTML, JSON)
| A
+
| N
| A
+
| N
| A
+
| ?
| A
+
| LD
| A
+
| ?
| A
+
| Y
 
|-  
 
|-  
| '''Pipes''' - Does the RIA framework allow multiple applications to communicate with each other on the client?
+
| '''Pipes''' - Does the RIA framework allow multiple RIAs to communicate with each other on the client?
| A
+
| N
| A
+
| N
| A
+
| ?
| A
+
| ?
| A
+
| ?
| A
+
| Y
 
|-  
 
|-  
 
| '''Files''' - Does the RIA framework have access to the local file system?
 
| '''Files''' - Does the RIA framework have access to the local file system?
| A
+
| N
| A
+
| N
| A
+
| ?
| A
+
| LD
| A
+
| ?
| A
+
| Y
 
|-  
 
|-  
 
| '''Sockets''' - Does the RIA framework have access to local network sockets?
 
| '''Sockets''' - Does the RIA framework have access to local network sockets?
| A
+
| N
| A
+
| N
| A
+
| ?
| A
+
| LD
| A
+
| ?
| A
+
| Y
 
|-  
 
|-  
 
| '''Windows''' - Does the RIA framework have the ability to create windows?
 
| '''Windows''' - Does the RIA framework have the ability to create windows?
| A
+
| N
| A
+
| N
| A
+
| ?
| A
+
| LD
| A
+
| ?
| A
+
| Y
 
|-  
 
|-  
 
| '''Devices''' - Does the RIA framework have the ability to access local cameras and microphones?
 
| '''Devices''' - Does the RIA framework have the ability to access local cameras and microphones?
| A
+
| N
| A
+
| N
| A
+
| ?
| A
+
| LD
| A
+
| ?
| A
+
| Y
 
|-  
 
|-  
 
| '''Native''' - Does the RIA framework have access to local native code or executables?
 
| '''Native''' - Does the RIA framework have access to local native code or executables?
| A
+
| N
| A
+
| N
| A
+
| ?
| A
+
| LD
| A
+
| ?
| A
+
| Y
 
|-  
 
|-  
 
| '''DOM''' - Does the RIA framework have access to the DOM?
 
| '''DOM''' - Does the RIA framework have access to the DOM?
| A
+
| N
| A
+
| N
| A
+
| ?
| A
+
| ?
| A
+
| ?
| A
+
| Y
 
|-  
 
|-  
 
| '''Controls''' - Does the RIA framework have access to other components within the DOM?
 
| '''Controls''' - Does the RIA framework have access to other components within the DOM?
| A
+
| N
| A
+
| N
| A
+
| ?
| A
+
| LD
| A
+
| ?
| A
+
| Y
 
|-  
 
|-  
 
| '''Self-Modify''' - Can an RIA modify the RIA framework?
 
| '''Self-Modify''' - Can an RIA modify the RIA framework?
| A
+
| N
| A
+
| N
| A
+
| ?
| A
+
| LD
| A
+
| ?
| A
+
| Y
 
|-  
 
|-  
 
| '''DNS Pinning''' - Does the RIA framework protect against DNS pinning?
 
| '''DNS Pinning''' - Does the RIA framework protect against DNS pinning?
| A
+
| N
| A
+
| N
| A
+
| ?
| A
+
| LD
| A
+
| ?
| A
+
| Y
 
|}
 
|}
  
  
 
__NOTOC__
 
__NOTOC__

Revision as of 05:45, 24 August 2007

Notes from the OWASP Washington chapter meeting where we discussed:

  • Java Applet - very old technology, runs in sandbox
  • Flash 7 - old flash movie environment
  • JFX (Sun Java) - New scripting language compiles to bytecode, runs via Java Web Start
  • Silverlight (Microsoft) - .NET Applets that run inside the browser, no privileged code
  • Google Gears - local storage component with JavaScript API (Same Origin all the way down)
  • AIR (Adobe - formerly Apollo) - VM that runs Flash, Shockwave movies, ActionScript, JavaScript, FLV

Threat Agents to Consider

  • Threat from external attackers
  • Threat from malicious developers

References

AIR - http://www.flashsec.org, http://www.wisec.it.en/Docs/flash_App_testing_Owasp07.swf

Results

Key

  • (Y) - Allowed by RIA framework
  • (LF) - Limited by framework
  • (LSO) - Limited by same origin policy
  • (LD) - Limited by developer
  • (LU) - Limited by user
  • (N) - Denied by RIA framework
RIA Framework Java Applet Adobe Flash Google Gears Java FX (JFX) MS Silverlight Adobe AIR
Persistence - Does the RIA framework allow data to be persisted in the client? N LF LSO LD LD Y
Sharing - Does the RIA framework allow uploading data? N N  ? LD  ? Y
Exchange - Does the RIA framework use data formats that scramble data and code (HTML, JSON) N N  ? LD  ? Y
Pipes - Does the RIA framework allow multiple RIAs to communicate with each other on the client? N N  ?  ?  ? Y
Files - Does the RIA framework have access to the local file system? N N  ? LD  ? Y
Sockets - Does the RIA framework have access to local network sockets? N N  ? LD  ? Y
Windows - Does the RIA framework have the ability to create windows? N N  ? LD  ? Y
Devices - Does the RIA framework have the ability to access local cameras and microphones? N N  ? LD  ? Y
Native - Does the RIA framework have access to local native code or executables? N N  ? LD  ? Y
DOM - Does the RIA framework have access to the DOM? N N  ?  ?  ? Y
Controls - Does the RIA framework have access to other components within the DOM? N N  ? LD  ? Y
Self-Modify - Can an RIA modify the RIA framework? N N  ? LD  ? Y
DNS Pinning - Does the RIA framework protect against DNS pinning? N N  ? LD  ? Y


Retrieved from "https://wiki.owasp.org/index.php?title=RIA_Security_Smackdown&oldid=21080"