This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "RIA Security Smackdown"
From OWASP
| Line 48: | Line 48: | ||
| LSO | | LSO | ||
| N | | N | ||
| − | | | + | | Y |
| LD | | LD | ||
| ? | | ? | ||
| Line 64: | Line 64: | ||
| N | | N | ||
| N | | N | ||
| − | | | + | | N |
| ? | | ? | ||
| ? | | ? | ||
| Line 72: | Line 72: | ||
| N | | N | ||
| N | | N | ||
| − | | | + | | N |
| LD | | LD | ||
| ? | | ? | ||
| Line 80: | Line 80: | ||
| LSO | | LSO | ||
| N | | N | ||
| − | | | + | | LSO |
| LD | | LD | ||
| ? | | ? | ||
| Line 88: | Line 88: | ||
| LF | | LF | ||
| N | | N | ||
| − | | | + | | N |
| LD | | LD | ||
| ? | | ? | ||
| Line 96: | Line 96: | ||
| N | | N | ||
| N | | N | ||
| − | | | + | | N |
| LD | | LD | ||
| ? | | ? | ||
| Line 104: | Line 104: | ||
| N | | N | ||
| N | | N | ||
| − | | | + | | N |
| LD | | LD | ||
| ? | | ? | ||
| Line 112: | Line 112: | ||
| N | | N | ||
| N | | N | ||
| − | | | + | | Y |
| ? | | ? | ||
| ? | | ? | ||
| Line 120: | Line 120: | ||
| N | | N | ||
| N | | N | ||
| − | | | + | | LSO |
| LD | | LD | ||
| ? | | ? | ||
| Line 136: | Line 136: | ||
| N | | N | ||
| N | | N | ||
| − | | | + | | N |
| LD | | LD | ||
| ? | | ? | ||
Revision as of 05:55, 24 August 2007
Notes from the OWASP Washington chapter meeting where we discussed:
- Java Applet - very old technology, runs in sandbox
- Flash 7 - old flash movie environment
- JFX (Sun Java) - New scripting language compiles to bytecode, runs via Java Web Start
- Silverlight (Microsoft) - .NET Applets that run inside the browser, no privileged code
- Google Gears - local storage component with JavaScript API (Same Origin all the way down)
- AIR (Adobe - formerly Apollo) - VM that runs Flash, Shockwave movies, ActionScript, JavaScript, FLV
Threat Agents to Consider
- Threat from external attackers
- Threat from malicious developers
References
AIR - http://www.flashsec.org, http://www.wisec.it.en/Docs/flash_App_testing_Owasp07.swf
Results
Key
- (Y) - Allowed by RIA framework
- (LF) - Limited by framework (a built in limitation or control)
- (LSO) - Limited by same origin policy (special built in policy)
- (LD) - Limited by developer (specified in a policy file like security.policy, jnlp, or crossdomain.xml)
- (LU) - Limited by user (specified in a policy file)
- (N) - Denied by RIA framework
| RIA Framework | Java Applet | Adobe Flash | Google Gears | Java FX (JFX) | MS Silverlight | Adobe AIR |
|---|---|---|---|---|---|---|
| Persistence - Does the RIA framework allow data to be persisted in the client? | N | LF | LSO | LD | LD | Y |
| Sharing - Does the RIA framework allow uploading data? | LSO | N | Y | LD | ? | Y |
| Exchange - Does the RIA framework use data formats that scramble data and code (HTML, JSON) | N | N | ? | LD | ? | Y |
| Pipes - Does the RIA framework allow multiple RIAs to communicate with each other on the client? | N | N | N | ? | ? | Y |
| Files - Does the RIA framework have access to the local file system? | N | N | N | LD | ? | Y |
| Sockets - Does the RIA framework have access to local network sockets? | LSO | N | LSO | LD | ? | Y |
| Windows - Does the RIA framework have the ability to create windows? | LF | N | N | LD | ? | Y |
| Devices - Does the RIA framework have the ability to access local cameras and microphones? | N | N | N | LD | ? | Y |
| Native - Does the RIA framework have access to local native code or executables? | N | N | N | LD | ? | Y |
| DOM - Does the RIA framework have access to the DOM? | N | N | Y | ? | ? | Y |
| Controls - Does the RIA framework have access to other components within the DOM? | N | N | LSO | LD | ? | Y |
| Self-Modify - Can an RIA modify the RIA framework? | N | N | ? | LD | ? | Y |
| DNS Pinning - Does the RIA framework protect against DNS pinning? | N | N | N | LD | ? | Y |
