This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

RIA Security Smackdown

From OWASP
Revision as of 23:56, 23 August 2007 by Jeff Williams (talk | contribs)

Jump to: navigation, search

Notes from the OWASP Washington chapter meeting where we discussed:

  • FLEX (Adobe) - development environment for Flash Apps
  • Flash Studio for movies
  • Java Applet
  • Flash 7
  • JFX (Sun Java)
  • Silverlight (Microsoft) - .NET Applets that run inside the browser, no privileged code
  • Google Gears - local storage component with JavaScript API (Same Origin all the way down)
  • AIR (Adobe - formerly Apollo) - VM that runs Flash, Shockwave movies, ActionScript, JavaScript, FLV

Threat Agents

  • Threat from external attackers
  • Threat from malicious developers (sandbox?)

Basic Problems

  • Anyone going to this model will have to deal with how to handle sensitive information and sensitive functions on the client.
  • Is there sharing of data between users? Download someone else's data into your application?
  • How do you separate code from data? Does any data contain anything that might get interpreted? HTML, XML, JSON, Javascript, ???
  • How does data move between the RIA and the server? Is it just data or is embedded code possible?
  • How do you separate one app from another app within the VM (same for DB)
  • What happens when you move outside the browser? You lose the protection that the browser sandbox afford.
  • Mashups?
  • Connections between an RIA and an app running inside the browser (to steal SESSION)
  • What level of interaction is allowed with the browser and the DOM? Is there an API to interact with DOM? Can you interact with other components in the DOM?
  • How is interaction with native code allowed?
  • How is interaction with the code of the RIA platform allowed? Can you modify platform (Backbase)
  • How is information passed to the VM to restrict its behavior to comply with the Same Origin Policy
  • Protected against DNS pinning? Use TLS Certificates?

References

AIR - http://www.flashsec.org, http://www.wisec.it.en/Docs/flash_App_testing_Owasp07.swf


Criteria

  • Cross platform
  • Local File system access
  • Network access
  • Built-in Database
  • HTML
  • JavaScript
  • Support for cross-domain policy (crossdomain.xml)
  • Windowing
  • Drag and Drop


Organizations have been rated on the following five characteristics:

1. Adobe AIR
The
2.
The
3. Flex
The
4. Flex
The
5. Flex
The

Scoring

RIA Framework 1. Awareness 2. Requirements 3. Verification 4. AppSec Team 5. Response Score
Full Full Full Full Full 10
Oracle Full None Partial None Full 5
Foobar Full Full Full Full Full  ?


Retrieved from "https://wiki.owasp.org/index.php?title=RIA_Security_Smackdown&oldid=21071"