Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    Security: JavaScript Hijacking

    A vulnerability in many Ajax frameworks has been discovered by Fortify Software. The full vulnerability description is available here:

    http://www.fortifysoftware.com/servl..._Hijacking.pdf

    Not vulnerable
    --------------
    No version of SmartClient is vulnerable to this attack when using the default xmlHttpRequest or hiddenFrame RPC transports when binding to web services, custom XML, or any requests that use the SmartClient Java Server RPCManager or DMI interfaces to respond to client requests.

    Possibly vulnerable
    ------------------
    If your application uses custom RPC requests that use the xmlHttpRequest transport that also specify serverOutputAsString: true or evalResult: true and target a URL that returns Javascript code/collections that are considered secure data, then you may be vulnerable.

    If your application explicitly specifies the scriptInclude transport when making calls to the server and those calls can return secure data, then you may be vulnerable.

    If your application uses the ViewLoader class that targets a URL that may return secure data, then you may be vulnerable.

    Recommended remedies
    -----------------------
    If your application makes use of the facilities described in the "Possibly vulnerable" section above or uses non-SmartClient code to make calls to the server, we recommend you follow the remedies described in the paper, specifically to include a session id or similar unique identifier as part of all such requests made to the server and enforce this restriction in your server-side code. You can send a unique identifier as a parameter with any request as follows:

    Code:
    isc.RPCManager.sendRequest({
        actionURL: "/your/endpoint",
        params: {sessionId: "some unique string"},
        ....
    });
    To pass a unique parameter when using the ViewLoader, use the viewURLParams attribute as follows:

    Code:
    isc.ViewLoader.create({
        ID: "myViewLoader",
        viewURL: "/your/endpoint",
        viewURLParams: {sessionId: "some unique string"},
        ....
    });
    Then on the server, you need to match the unique parameter that the client sent with the authoritative copy on the server and reject any request that does not provide a matching value.
    Last edited by Isomorphic; 5 Apr 2007, 13:40.
Working...
X