This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "RIA Security Smackdown"

From OWASP
Jump to: navigation, search
m (Fixed link to wisec.it)
 
(9 intermediate revisions by 3 users not shown)
Line 10: Line 10:
 
==Threat Agents to Consider==
 
==Threat Agents to Consider==
  
* Threat from external attackers
+
* Threat from external attackers against your desktop application
 +
* Threat from an attacker against back end systems
 
* Threat from malicious developers
 
* Threat from malicious developers
  
 
==References==
 
==References==
  
AIR - http://www.flashsec.org, http://www.wisec.it.en/Docs/flash_App_testing_Owasp07.swf
+
AIR - http://www.flashsec.org, http://www.wisec.it/en/Docs/flash_App_testing_Owasp07.swf
  
 
==Results==
 
==Results==
Line 42: Line 43:
 
| LSO
 
| LSO
 
| LD
 
| LD
| LD
+
| LU
 
| Y
 
| Y
 
|-  
 
|-  
 
| '''Sharing''' - Does the RIA framework allow uploading data?
 
| '''Sharing''' - Does the RIA framework allow uploading data?
 
| LSO
 
| LSO
| N
+
| LSO
 
| Y
 
| Y
 
| LD
 
| LD
| ?
+
| LSO
 
| Y
 
| Y
 
|-  
 
|-  
Line 58: Line 59:
 
| ?
 
| ?
 
| LD
 
| LD
| ?
+
| Y (XAML and PE)
 
| Y
 
| Y
 
|-  
 
|-  
 
| '''Pipes''' - Does the RIA framework allow multiple RIAs to communicate with each other on the client?
 
| '''Pipes''' - Does the RIA framework allow multiple RIAs to communicate with each other on the client?
 +
| Y (LiveConnect)
 
| N
 
| N
 
| N
 
| N
 +
| ?
 
| N
 
| N
| ?
 
| ?
 
 
| Y
 
| Y
 
|-  
 
|-  
Line 74: Line 75:
 
| N
 
| N
 
| LD
 
| LD
| ?
+
| LU (IsoStore)
 
| Y
 
| Y
 
|-  
 
|-  
 
| '''Sockets''' - Does the RIA framework have access to local network sockets?
 
| '''Sockets''' - Does the RIA framework have access to local network sockets?
 
| LSO
 
| LSO
| N
+
| LSO
 
| LSO
 
| LSO
 
| LD
 
| LD
| ?
+
| N (yet)
 
| Y
 
| Y
 
|-  
 
|-  
Line 90: Line 91:
 
| N
 
| N
 
| LD
 
| LD
| ?
+
| N
 
| Y
 
| Y
 
|-  
 
|-  
 
| '''Devices''' - Does the RIA framework have the ability to access local cameras and microphones?
 
| '''Devices''' - Does the RIA framework have the ability to access local cameras and microphones?
 
| N
 
| N
 +
| LF
 
| N
 
| N
 +
| LD
 
| N
 
| N
| LD
 
| ?
 
 
| Y
 
| Y
 
|-  
 
|-  
Line 106: Line 107:
 
| N
 
| N
 
| LD
 
| LD
| ?
+
| N
 
| Y
 
| Y
 
|-  
 
|-  
 
| '''DOM''' - Does the RIA framework have access to the DOM?
 
| '''DOM''' - Does the RIA framework have access to the DOM?
| N
+
| Y
| N
+
| Y
 
| Y
 
| Y
 
| ?
 
| ?
| ?
+
| Y
 
| Y
 
| Y
 
|-  
 
|-  
 
| '''Controls''' - Does the RIA framework have access to other components within the DOM?
 
| '''Controls''' - Does the RIA framework have access to other components within the DOM?
 
| N
 
| N
| N
+
| Y
 
| LSO
 
| LSO
 
| LD
 
| LD
Line 130: Line 131:
 
| ?
 
| ?
 
| LD
 
| LD
| ?
+
| N
 
| Y
 
| Y
 
|-  
 
|-  
Line 138: Line 139:
 
| N
 
| N
 
| LD
 
| LD
| ?
+
| N
| Y
+
| N
 
|}
 
|}
  
  
 
__NOTOC__
 
__NOTOC__

Latest revision as of 15:11, 14 April 2008

Notes from the OWASP Washington chapter meeting where we discussed:

  • Java Applet - very old technology, runs in sandbox
  • Flash 7 - old flash movie environment
  • JFX (Sun Java) - New scripting language compiles to bytecode, runs via Java Web Start
  • Silverlight (Microsoft) - .NET Applets that run inside the browser, no privileged code
  • Google Gears - local storage component with JavaScript API (Same Origin all the way down)
  • AIR (Adobe - formerly Apollo) - VM that runs Flash, Shockwave movies, ActionScript, JavaScript, FLV

Threat Agents to Consider

  • Threat from external attackers against your desktop application
  • Threat from an attacker against back end systems
  • Threat from malicious developers

References

AIR - http://www.flashsec.org, http://www.wisec.it/en/Docs/flash_App_testing_Owasp07.swf

Results

Key

  • (Y) - Allowed by RIA framework
  • (LF) - Limited by framework (a built in limitation or control)
  • (LSO) - Limited by same origin policy (special built in policy)
  • (LD) - Limited by developer (specified in a policy file like security.policy, jnlp, or crossdomain.xml)
  • (LU) - Limited by user (specified in a policy file)
  • (N) - Denied by RIA framework
RIA Framework Java Applet Adobe Flash Google Gears Java FX (JFX) MS Silverlight Adobe AIR
Persistence - Does the RIA framework allow data to be persisted in the client? N LF LSO LD LU Y
Sharing - Does the RIA framework allow uploading data? LSO LSO Y LD LSO Y
Exchange - Does the RIA framework use data formats that scramble data and code (HTML, JSON) N N  ? LD Y (XAML and PE) Y
Pipes - Does the RIA framework allow multiple RIAs to communicate with each other on the client? Y (LiveConnect) N N  ? N Y
Files - Does the RIA framework have access to the local file system? N N N LD LU (IsoStore) Y
Sockets - Does the RIA framework have access to local network sockets? LSO LSO LSO LD N (yet) Y
Windows - Does the RIA framework have the ability to create windows? LF N N LD N Y
Devices - Does the RIA framework have the ability to access local cameras and microphones? N LF N LD N Y
Native - Does the RIA framework have access to local native code or executables? N N N LD N Y
DOM - Does the RIA framework have access to the DOM? Y Y Y  ? Y Y
Controls - Does the RIA framework have access to other components within the DOM? N Y LSO LD  ? Y
Self-Modify - Can an RIA modify the RIA framework? N N  ? LD N Y
DNS Pinning - Does the RIA framework protect against DNS pinning? N N N LD N N


Retrieved from "https://wiki.owasp.org/index.php?title=RIA_Security_Smackdown&oldid=28035"