Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Remote Application Platform (RAP) » RAP and Anti XSS features
RAP and Anti XSS features [message #1703398] Fri, 31 July 2015 09:42 Go to next message
Paul-Antoine Bourgeois is currently offline Paul-Antoine BourgeoisFriend
Messages: 4
Registered: July 2015
Junior Member
Hi,

I have been working with RAP for some time now and I am wondering how RAP is coping with cross site scripting attack vectors in general, and also specifically JSON injection.

I have tried a few vectors and it seems to behave nicely. Apparently no need to sanitize inputs. The rendering seems also to be fine even when some tags or malicious script is stored and retrieved from the DB to be put in a page.

Does it mean RAP is already actively handling those threats ?
How does it work ? What risks are covered ?

Many thanks.
Re: RAP and Anti XSS features [message #1703608 is a reply to message #1703398] Mon, 03 August 2015 15:38 Go to previous messageGo to next message
Ralf Sternberg is currently offline Ralf SternbergFriend
Messages: 1313
Registered: July 2009
Senior Member

All content that is displayed in the browser must have been set using an
API method such as Label.setText(). All these methods encode their
input, so that any malicious content would only be printed instead of
evaluated. Markup-enabled widgets parse the texts and ensure that only a
defined subset of HTML elements is used.

I believe that this application model makes RAP pretty safe against the
typical exploits. However, we're not security experts here and we rely
on the community to point out issues. For example, just recently we've
closed an issue [1] regarding unlikely but possible CSRF [2] attacks. If
you have questions or concerns about other security threats, please let
us know.

Regards,
Ralf

[1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=413668
[2] https://en.wikipedia.org/wiki/Cross-site_request_forgery

--
Ralf Sternberg

Twitter: @EclipseRAP
Blog: http://eclipsesource.com/blogs/

Professional services for RAP and RCP?
http://eclipsesource.com/services/rap/
Re: RAP and Anti XSS features [message #1704873 is a reply to message #1703608] Mon, 10 August 2015 09:25 Go to previous messageGo to next message
Paul-Antoine Bourgeois is currently offline Paul-Antoine BourgeoisFriend
Messages: 4
Registered: July 2015
Junior Member
Thanks for this.

Yes I have a particular point that might be interesting in that perspective.
In rap-client.js I can see that this function might be a risk:

   _configRequest : function() {
      if( !Client.isWebkit() ) {
       this._request.setRequestHeader( "Referer", window.location.href );
      }
      var contentType = "application/json; charset=UTF-8";
      this._request.setRequestHeader( "Content-Type", contentType );
      if( this._shouldUseStateListener() ) {
        this._request.onreadystatechange = rwt.util.Functions.bind( this._onReadyStateChange, this );
      }
    },


Don't you think this ( this._request.setRequestHeader( "Referer", window.location.href );) could allow an attacker to cause the user to perform unintended actions by using a DOM-based Ajax request header manipulation ?
Data is read from window.location.href and used to alter the header. Is that header used by RAP (server-side) in a way that could alter it's behaviour ?

Many thanks.
Re: RAP and Anti XSS features [message #1714535 is a reply to message #1704873] Fri, 13 November 2015 12:43 Go to previous messageGo to next message
Paul-Antoine Bourgeois is currently offline Paul-Antoine BourgeoisFriend
Messages: 4
Registered: July 2015
Junior Member
Allow me to up this topic.

After looking in the RAP sources, I couldn't find a use of the 'Referer' header anywhere.
I also ran tests using a patched org.eclipse.rap.rwt\bin\rwt\remote\Request.js having this line
this._request.setRequestHeader( "Referer", window.location.href );
commented out and our application deployed, and I could see no impact.

Seeing this, I would assume that header is not used.

Could you please confirm or deny this assumption ?

Regards,
Paul.
Re: RAP and Anti XSS features [message #1714537 is a reply to message #1714535] Fri, 13 November 2015 13:03 Go to previous messageGo to next message
Ivan Furnadjiev is currently offline Ivan FurnadjievFriend
Messages: 2426
Registered: July 2009
Location: Sofia, Bulgaria
Senior Member
Hi,
yes... to my knowledge the "Referer" header is not used by the RAP
framework.
Regards,
Ivan

--
Ivan Furnadjiev

Twitter: @EclipseRAP
Blog: http://eclipsesource.com/blogs/

Professional services for RAP and RCP?
http://eclipsesource.com/services/rap/
Re: RAP and Anti XSS features [message #1714973 is a reply to message #1703398] Wed, 18 November 2015 08:54 Go to previous message
Paul-Antoine Bourgeois is currently offline Paul-Antoine BourgeoisFriend
Messages: 4
Registered: July 2015
Junior Member
The issue has been fixed: https://git.eclipse.org/r/#/c/60686/

Thanks again!
Previous Topic:DND to external Javascript Application
Next Topic:collection of css
Goto Forum:
  


Current Time: Tue Mar 19 04:53:21 GMT 2024

Powered by FUDForum. Page generated in 0.03723 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top