This link has been bookmarked by 67 people . It was first bookmarked on 02 Apr 2007, by bkmrkr.
-
24 Jan 11
-
insecure server-side session management
-
To be truly safe, you may want to always assume that strings destined for innerHTML or eval are unsafe, but at the very least you've got to Know Your Code.
-
For instance, if you're writing a custom Widget that includes a hyperlink, you might include a setURL(String) method. If you do, though, you should consider adding a test to make sure that the new URL data doesn't actually contain a "javascript:" URL.
-
- Carefully inspect and strip or escape any strings you assign to innerHTML using GWT code
- Carefully inspect any JavaScript strings you pass to GWT's JSON parser
- Carefully inspect any strings you pass to eval or assign to innerHTML via a JSNI method
- Take care in your native JSNI methods to not do anything that would expose you to attacks
Protecting Your Application
As a GWT user, you can help reduce XSS vulnerabilities in your code by following these guidelines:
The GWT team is considering adding support for standard string inspection to the GWT library. You would use this to validate any untrusted string to determine if it contains unsafe data (such as a <script> tag.) The idea is that you'd use this method to help you inspect any strings you need to pass to innerHTML or eval. However, this functionality is only being considered right now, so for the time being it's still important to do your own inspections. Be sure to follow the guidelines above -- and be sure to be paranoid! -
If you only intend your JSON data to be returned via an XMLHTTPRequest, wrapping the data in a block comment prevents someone from stealing it via a <script> tag. If you are using JSON as the data format exposed by your own services and don't intend servers in other domains to use it, then there is no reason not to use this technique. It might keep your data safe even in the event that an attacker manages to forge a cookie.
-
-
03 Jan 11
-
21 Dec 10
-
16 Dec 10
-
24 Apr 10
-
19 Feb 09
-
07 Feb 09
-
22 Jan 09
-
04 Nov 08
-
24 Jun 08
-
26 May 08
-
07 May 08
-
18 Apr 08
-
02 Mar 08
-
26 Feb 08
-
12 Feb 08
-
10 Feb 08
-
31 Jan 08
-
29 Jan 08
-
06 Jan 08
-
02 Oct 07
-
27 Sep 07
-
25 Aug 07
-
26 Jun 07
-
29 May 07
-
11 May 07
aminggsBefore going into the GWT specifics, the article gives some useful background on AJAX security issues including Same-Origin Policy, Cross-Site Scripting, Cross-Site Request Forging, and JSON.
document article gwt infosec ajax javascript json xss web vulnerability import:delicious
-
28 Apr 07
-
25 Apr 07
-
15 Apr 07
auxonne auxonneThis article is a primer on JavaScript attacks, intended for GWT developers. The first portion describes the major classes of attacks against JavaScript in general terms that are applicable to any AJAX framework.
-
09 Apr 07
-
08 Apr 07
-
05 Apr 07
-
-
It is a sad truth that JavaScript applications are easily left vulnerable to several types of security exploits, if developers are unwary. Because the Google Web Toolkit (GWT) produces JavaScript code, we GWT developers are no less vulnerable to JavaScript attacks than anyone else. However, because the goal of GWT is to allow developers to focus on their users' needs instead of JavaScript and browser quirks, it's easy to let our guards down. To make sure that GWT developers have a strong appreciation of the risks, we've put together this article.
-
-
04 Apr 07
-
03 Apr 07
-
02 Apr 07
Would you like to comment?
Join Diigo for a free account, or sign in if you are already a member.