RIA Security Smackdown
From OWASP
Revision as of 05:34, 24 August 2007 by Jeff Williams (talk | contribs)
Notes from the OWASP Washington chapter meeting where we discussed:
- FLEX (Adobe) - development environment for Flash Apps
- Flash Studio for movies
- Java Applet
- Flash 7
- JFX (Sun Java)
- Silverlight (Microsoft) - .NET Applets that run inside the browser, no privileged code
- Google Gears - local storage component with JavaScript API (Same Origin all the way down)
- AIR (Adobe - formerly Apollo) - VM that runs Flash, Shockwave movies, ActionScript, JavaScript, FLV
Threat Agents
- Threat from external attackers
- Threat from malicious developers (sandbox?)
References
AIR - http://www.flashsec.org, http://www.wisec.it.en/Docs/flash_App_testing_Owasp07.swf
Results
Basic Problems
Key
- (A) - Allowed
- (LD) - Limited by developer
- (LU) - Limited by user
- (D) - Denied
| style="text-align:left" RIA Framework | Java Applet | Adobe Flash | Google Gears | Java FX (JFX) | MS Silverlight | Adobe AIR |
|---|---|---|---|---|---|---|
| Persistence - Does the RIA framework allow data to be persisted in the client? | A | A | A | A | A | A |
| Roles - Does the RIA framework enable multiple roles to use the same client? | A | A | A | A | A | A |
| Sharing - Does the RIA framework allow sharing of data? | A | A | A | A | A | A |
| Exchange - Does the RIA framework use data formats that scramble data and code (HTML, JSON) | A | A | A | A | A | A |
| Pipes - Does the RIA framework allow multiple applications to communicate with each other on the client? | A | A | A | A | A | A |
| Files - Does the RIA framework have access to the local file system? | A | A | A | A | A | A |
| Sockets - Does the RIA framework have access to local network sockets? | A | A | A | A | A | A |
| Windows - Does the RIA framework have the ability to create windows? | A | A | A | A | A | A |
| Devices - Does the RIA framework have the ability to access local cameras and microphones? | A | A | A | A | A | A |
| Native - Does the RIA framework have access to local native code or executables? | A | A | A | A | A | A |
| DOM - Does the RIA framework have access to the DOM? | A | A | A | A | A | A |
| Controls - Does the RIA framework have access to other components within the DOM? | A | A | A | A | A | A |
| Self-Modify - Can an RIA modify the RIA framework? | A | A | A | A | A | A |
| DNS Pinning - Does the RIA framework protect against DNS pinning? | A | A | A | A | A | A |
