This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
RIA Security Smackdown
From OWASP
Notes from the OWASP Washington chapter meeting where we discussed:
- Java Applet - very old technology, runs in sandbox
- Flash 7 - old flash movie environment
- JFX (Sun Java) - New scripting language compiles to bytecode, runs via Java Web Start
- Silverlight (Microsoft) - .NET Applets that run inside the browser, no privileged code
- Google Gears - local storage component with JavaScript API (Same Origin all the way down)
- AIR (Adobe - formerly Apollo) - VM that runs Flash, Shockwave movies, ActionScript, JavaScript, FLV
Threat Agents to Consider
- Threat from external attackers
- Threat from malicious developers
References
AIR - http://www.flashsec.org, http://www.wisec.it.en/Docs/flash_App_testing_Owasp07.swf
Results
Key
- (Y) - Allowed by RIA framework
- (LF) - Limited by framework (a built in limitation or control)
- (LSO) - Limited by same origin policy (special built in policy)
- (LD) - Limited by developer (specified in a policy file like security.policy, jnlp, or crossdomain.xml)
- (LU) - Limited by user (specified in a policy file)
- (N) - Denied by RIA framework
| RIA Framework | Java Applet | Adobe Flash | Google Gears | Java FX (JFX) | MS Silverlight | Adobe AIR |
|---|---|---|---|---|---|---|
| Persistence - Does the RIA framework allow data to be persisted in the client? | N | LF | LSO | LD | LD | Y |
| Sharing - Does the RIA framework allow uploading data? | LSO | LSO | Y | LD | ? | Y |
| Exchange - Does the RIA framework use data formats that scramble data and code (HTML, JSON) | N | N | ? | LD | ? | Y |
| Pipes - Does the RIA framework allow multiple RIAs to communicate with each other on the client? | N | N | N | ? | ? | Y |
| Files - Does the RIA framework have access to the local file system? | N | N | N | LD | ? | Y |
| Sockets - Does the RIA framework have access to local network sockets? | LSO | LSO | LSO | LD | ? | Y |
| Windows - Does the RIA framework have the ability to create windows? | LF | N | N | LD | ? | Y |
| Devices - Does the RIA framework have the ability to access local cameras and microphones? | N | LF | N | LD | ? | Y |
| Native - Does the RIA framework have access to local native code or executables? | N | N | N | LD | ? | Y |
| DOM - Does the RIA framework have access to the DOM? | N | Y | Y | ? | ? | Y |
| Controls - Does the RIA framework have access to other components within the DOM? | N | Y | LSO | LD | ? | Y |
| Self-Modify - Can an RIA modify the RIA framework? | N | N | ? | LD | ? | Y |
| DNS Pinning - Does the RIA framework protect against DNS pinning? | N | N | N | LD | ? | N |
