Living in the RIA World

Presented at DEF CON 16 (2008), Aug. 8, 2008, 3 p.m. (50 minutes)

Rich Internet Applications (RIA) represent the next generation of the Web. Designed to run without constant Internet connectivity, they provide a graphical experience equivalent to thick desktop applications with the easy install experience of thin Web apps. They intentionally blur the line between websites and traditional desktop applications and greatly complicate the jobs of web developers, corporate security teams, and external security professionals. Our goal with this talk will be to outline the different attack scenarios that exist in the RIA world and to provide a comparison between the security models of the leading RIA platforms. We will discuss how current attacks against web applications are changed with RIA as well as outline new types of vulnerabilities that are unique to this paradigm. Attendees will learn how to analyze the threat posed to them by RIA applications as either providers or consumers of software built on these new platforms. We will also be discussing the attack surface exposed by the large media codec stacks contained in each of these platforms. Our targeted platforms include Adobe AIR, Microsoft Silverlight, Google Gears, JavaFX, and Mozilla Prism. At this talk, we will be releasing tools for testing the codec security of these platforms as well as sample malicious code demonstrating the danger of RIA applications.

Presenters:

• Justine Osborne - Security Consultant, iSEC Partners
  Justine Osborne is a Security Consultant with iSEC Partners. Justine specializes in web application penetration testing and her research interests include AJAX web applications, Flash, and emerging web technologies. Justine holds a BA in Computer Science from Mills College in Oakland, California.
• David Thiel - Senior Security Consultant, iSEC Partners
  David Thiel is a Senior Security Consultant with iSEC Partners. David has over 12 years of computer security experience, auditing and designing security infrastructure in the electronic commerce, government, aerospace and online wagering industries. His areas of expertise are web application penetration testing, network protocols, and fuzzing. Research interests include media software vulnerabilities, mobile and embedded device exploitation, and attack vectors in emerging web application technologies and network protocols. David has presented research and security topics at Black Hat USA as well as to the HTCIA.
• Alex Stamos - Founding Partner, iSEC Partners Inc.
  Alex Stamos is a Founding Partner of iSEC Partners and is an experienced security engineer and consultant specializing in application security and incident response. He is a leading researcher in the field of web application and web services security and has been a featured speaker at top industry conferences such as BlackHat, DefCon, SyScan, Infragard, Microsoft BlueHat, Toorcon, the Web 2.0 Expo and OWASP AppSec. He holds a BSEE from the University of California, Berkeley, and spends his spare time chasing his baby son and sailing on the SF bay.

Links:

• https://defcon.org/html/defcon-16/dc-16-speakers.html#Stamos
• https://infocon.org/cons/DEF CON/DEF CON 16/DEF CON 16 video/DEF CON 16 - Panel - Living in the RIA - Video.mp4
• https://www.youtube.com/watch?v=fqWN9E9Ik6g

Similar Presentations:

• DEF CON 19 (2011) / Smartfuzzing The Web: Carpe Vestra Foramina
• Black Hat USA 2010 / Blitzableiter - the Release
• DEF CON 18 (2010) / Blitzableiter - the Release