RIA Security Smackdown

Notes from the OWASP Washington chapter meeting where we discussed:

• FLEX (Adobe) - development environment for Flash Apps
• Flash Studio for movies

• Java Applet
• Flash 7
• JFX (Sun Java)
• Silverlight (Microsoft) - .NET Applets that run inside the browser, no privileged code
• GWT + Google Gears
• AIR (Adobe - formerly Apollo) - VM that runs Flash, Shockwave movies, ActionScript, JavaScript, FLV

Threat Agents

• Threat from external attackers
• Threat from malicious developers (sandbox?)

Basic Problems

• Anyone going to this model will have to deal with how to handle sensitive information and sensitive functions on the client.
• Is there sharing of data between users? Download someone else's data into your application?
• How do you separate code from data? Does any data contain anything that might get interpreted? HTML, XML, JSON, Javascript, ???
• How do you separate one app from another app within the VM (same for DB)
• What happens when you move outside the browser? You lose the protection that the browser sandbox afford.
• Mashups?
• Connections between an RIA and an app running inside the browser (to steal SESSION)

References

AIR - http://www.flashsec.org, http://www.wisec.it.en/Docs/flash_App_testing_Owasp07.swf

Criteria

• Cross platform
• Local File system access
• Network access
• Built-in Database
• HTML
• JavaScript
• Support for cross-domain policy (crossdomain.xml)
• Windowing
• Drag and Drop

Organizations have been rated on the following five characteristics:

1. Adobe AIR

The

2.

The

3. Flex

The

4. Flex

The

5. Flex

The

Scoring