This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "RIA Security Smackdown"

From OWASP
Jump to: navigation, search
(New page: Notes from the OWASP Washington chapter meeting where we discussed: * FLEX (Adobe) - development environment for Flash Apps * Flash Studio for movies * Java Applet * Flash 7 * JFX (Sun J...)
 
Line 7: Line 7:
 
* Flash 7
 
* Flash 7
 
* JFX (Sun Java)
 
* JFX (Sun Java)
* Silverlight (Microsoft)
+
* Silverlight (Microsoft) - .NET Applets that run inside the browser, no privileged code
* Google Gears
+
* GWT + Google Gears
 
* AIR (Adobe - formerly Apollo) - VM that runs Flash, Shockwave movies, ActionScript, JavaScript, FLV
 
* AIR (Adobe - formerly Apollo) - VM that runs Flash, Shockwave movies, ActionScript, JavaScript, FLV
 +
 +
==Threat Agents==
 +
 +
* Threat from external attackers
 +
* Threat from malicious developers (sandbox?)
 +
 +
==Basic Problems==
 +
 +
* Anyone going to this model will have to deal with how to handle sensitive information and sensitive functions on the client.
 +
* Is there sharing of data between users?  Download someone else's data into your application?
 +
* How do you separate code from data?  Does any data contain anything that might get interpreted? HTML, XML, JSON, Javascript, ???
 +
* How do you separate one app from another app within the VM (same for DB)
 +
* What happens when you move outside the browser?  You lose the protection that the browser sandbox afford.
 +
* Mashups?
 +
* Connections between an RIA and an app running inside the browser (to steal SESSION)
 +
 +
 +
==References==
 +
 +
AIR - http://www.flashsec.org, http://www.wisec.it.en/Docs/flash_App_testing_Owasp07.swf
 +
  
 
==Criteria==
 
==Criteria==
Line 20: Line 41:
 
* JavaScript
 
* JavaScript
 
* Support for cross-domain policy (crossdomain.xml)
 
* Support for cross-domain policy (crossdomain.xml)
 +
* Windowing
 +
* Drag and Drop
 +
*
  
  

Revision as of 23:11, 23 August 2007

Notes from the OWASP Washington chapter meeting where we discussed:

  • FLEX (Adobe) - development environment for Flash Apps
  • Flash Studio for movies
  • Java Applet
  • Flash 7
  • JFX (Sun Java)
  • Silverlight (Microsoft) - .NET Applets that run inside the browser, no privileged code
  • GWT + Google Gears
  • AIR (Adobe - formerly Apollo) - VM that runs Flash, Shockwave movies, ActionScript, JavaScript, FLV

Threat Agents

  • Threat from external attackers
  • Threat from malicious developers (sandbox?)

Basic Problems

  • Anyone going to this model will have to deal with how to handle sensitive information and sensitive functions on the client.
  • Is there sharing of data between users? Download someone else's data into your application?
  • How do you separate code from data? Does any data contain anything that might get interpreted? HTML, XML, JSON, Javascript, ???
  • How do you separate one app from another app within the VM (same for DB)
  • What happens when you move outside the browser? You lose the protection that the browser sandbox afford.
  • Mashups?
  • Connections between an RIA and an app running inside the browser (to steal SESSION)


References

AIR - http://www.flashsec.org, http://www.wisec.it.en/Docs/flash_App_testing_Owasp07.swf


Criteria

  • Cross platform
  • Local File system access
  • Network access
  • Built-in Database
  • HTML
  • JavaScript
  • Support for cross-domain policy (crossdomain.xml)
  • Windowing
  • Drag and Drop


Organizations have been rated on the following five characteristics:

1. Adobe AIR
The
2.
The
3. Flex
The
4. Flex
The
5. Flex
The

Scoring

RIA Framework 1. Awareness 2. Requirements 3. Verification 4. AppSec Team 5. Response Score
Full Full Full Full Full 10
Oracle Full None Partial None Full 5
Foobar Full Full Full Full Full  ?


Retrieved from "https://wiki.owasp.org/index.php?title=RIA_Security_Smackdown&oldid=21070"