RIA and Ajax Security Workshop

The internet industry is currently riding a new wave of investor and consumer excitement, much of which is built upon the promise of Web 2.0 and “Rich Internet” technologies giving us faster, more exciting, and more useful web applications. Unfortunately, there is a dark side to this new technology that has not been properly explored. The tighter integration of client and server code, as well as the invention of new client side frameworks for providing desktop functionality, have created new classes of vulnerabilities as well as made classic web application attacks more difficult to prevent.

This workshop is intended to introduce the advanced web developer to the most important security flaws currently plaguing the Web, demonstrate how these flaws can be used in real life, and teach the mitigation techniques developers can use to prevent security bugs.

We will discuss XSS, Cross-Site Request Forgery (CSRF), parameter tampering, and object serialization attacks in Ajax applications. We will also be discussing our security analysis of several popular Ajax frameworks and the security responsibilities of developers who use off-the-shelf Ajax on their sites.

The workshop will then cover the security models of the most popular RIA platforms: Adobe AIR, Microsoft Silverlight, Google Gears, JavaFX, and Mozilla Prism. We will discuss how current attacks against web applications are changed with RIA as well as outline new types of vulnerabilities that are unique to this paradigm. The workshop will discuss each of these flaw types as well as the steps developers must take to prevent attacks against their own RIA applications.

The talk will include live demos against vulnerable web applications, and will be appropriate for attendees with an advanced understanding of HTML and JavaScript and basic understanding of at least one RIA platform.