This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "RIA Security Smackdown"
From OWASP
Andre Ludwig (talk | contribs) (→Results) |
m (Fixed link to wisec.it) |
||
| (4 intermediate revisions by 3 users not shown) | |||
| Line 10: | Line 10: | ||
==Threat Agents to Consider== | ==Threat Agents to Consider== | ||
| − | * Threat from external attackers | + | * Threat from external attackers against your desktop application |
| + | * Threat from an attacker against back end systems | ||
* Threat from malicious developers | * Threat from malicious developers | ||
==References== | ==References== | ||
| − | AIR - http://www.flashsec.org, http://www.wisec.it | + | AIR - http://www.flashsec.org, http://www.wisec.it/en/Docs/flash_App_testing_Owasp07.swf |
==Results== | ==Results== | ||
| Line 42: | Line 43: | ||
| LSO | | LSO | ||
| LD | | LD | ||
| − | | | + | | LU |
| Y | | Y | ||
|- | |- | ||
| Line 50: | Line 51: | ||
| Y | | Y | ||
| LD | | LD | ||
| − | | | + | | LSO |
| Y | | Y | ||
|- | |- | ||
| Line 58: | Line 59: | ||
| ? | | ? | ||
| LD | | LD | ||
| − | | | + | | Y (XAML and PE) |
| Y | | Y | ||
|- | |- | ||
| '''Pipes''' - Does the RIA framework allow multiple RIAs to communicate with each other on the client? | | '''Pipes''' - Does the RIA framework allow multiple RIAs to communicate with each other on the client? | ||
| + | | Y (LiveConnect) | ||
| N | | N | ||
| N | | N | ||
| + | | ? | ||
| N | | N | ||
| − | |||
| − | |||
| Y | | Y | ||
|- | |- | ||
| Line 74: | Line 75: | ||
| N | | N | ||
| LD | | LD | ||
| − | | | + | | LU (IsoStore) |
| Y | | Y | ||
|- | |- | ||
| Line 82: | Line 83: | ||
| LSO | | LSO | ||
| LD | | LD | ||
| − | | | + | | N (yet) |
| Y | | Y | ||
|- | |- | ||
| Line 90: | Line 91: | ||
| N | | N | ||
| LD | | LD | ||
| − | | | + | | N |
| Y | | Y | ||
|- | |- | ||
| Line 98: | Line 99: | ||
| N | | N | ||
| LD | | LD | ||
| − | | | + | | N |
| Y | | Y | ||
|- | |- | ||
| Line 106: | Line 107: | ||
| N | | N | ||
| LD | | LD | ||
| − | | | + | | N |
| Y | | Y | ||
|- | |- | ||
| '''DOM''' - Does the RIA framework have access to the DOM? | | '''DOM''' - Does the RIA framework have access to the DOM? | ||
| − | | | + | | Y |
| Y | | Y | ||
| Y | | Y | ||
| ? | | ? | ||
| − | | | + | | Y |
| Y | | Y | ||
|- | |- | ||
| Line 130: | Line 131: | ||
| ? | | ? | ||
| LD | | LD | ||
| − | | | + | | N |
| Y | | Y | ||
|- | |- | ||
Latest revision as of 15:11, 14 April 2008
Notes from the OWASP Washington chapter meeting where we discussed:
- Java Applet - very old technology, runs in sandbox
- Flash 7 - old flash movie environment
- JFX (Sun Java) - New scripting language compiles to bytecode, runs via Java Web Start
- Silverlight (Microsoft) - .NET Applets that run inside the browser, no privileged code
- Google Gears - local storage component with JavaScript API (Same Origin all the way down)
- AIR (Adobe - formerly Apollo) - VM that runs Flash, Shockwave movies, ActionScript, JavaScript, FLV
Threat Agents to Consider
- Threat from external attackers against your desktop application
- Threat from an attacker against back end systems
- Threat from malicious developers
References
AIR - http://www.flashsec.org, http://www.wisec.it/en/Docs/flash_App_testing_Owasp07.swf
Results
Key
- (Y) - Allowed by RIA framework
- (LF) - Limited by framework (a built in limitation or control)
- (LSO) - Limited by same origin policy (special built in policy)
- (LD) - Limited by developer (specified in a policy file like security.policy, jnlp, or crossdomain.xml)
- (LU) - Limited by user (specified in a policy file)
- (N) - Denied by RIA framework
| RIA Framework | Java Applet | Adobe Flash | Google Gears | Java FX (JFX) | MS Silverlight | Adobe AIR |
|---|---|---|---|---|---|---|
| Persistence - Does the RIA framework allow data to be persisted in the client? | N | LF | LSO | LD | LU | Y |
| Sharing - Does the RIA framework allow uploading data? | LSO | LSO | Y | LD | LSO | Y |
| Exchange - Does the RIA framework use data formats that scramble data and code (HTML, JSON) | N | N | ? | LD | Y (XAML and PE) | Y |
| Pipes - Does the RIA framework allow multiple RIAs to communicate with each other on the client? | Y (LiveConnect) | N | N | ? | N | Y |
| Files - Does the RIA framework have access to the local file system? | N | N | N | LD | LU (IsoStore) | Y |
| Sockets - Does the RIA framework have access to local network sockets? | LSO | LSO | LSO | LD | N (yet) | Y |
| Windows - Does the RIA framework have the ability to create windows? | LF | N | N | LD | N | Y |
| Devices - Does the RIA framework have the ability to access local cameras and microphones? | N | LF | N | LD | N | Y |
| Native - Does the RIA framework have access to local native code or executables? | N | N | N | LD | N | Y |
| DOM - Does the RIA framework have access to the DOM? | Y | Y | Y | ? | Y | Y |
| Controls - Does the RIA framework have access to other components within the DOM? | N | Y | LSO | LD | ? | Y |
| Self-Modify - Can an RIA modify the RIA framework? | N | N | ? | LD | N | Y |
| DNS Pinning - Does the RIA framework protect against DNS pinning? | N | N | N | LD | N | N |
