Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Remote Application Platform (RAP) » RAP and Cross Site Request Forgery attacks
RAP and Cross Site Request Forgery attacks [message #1481881] Fri, 21 November 2014 09:45 Go to next message
Lukasz Koniecki is currently offline Lukasz KonieckiFriend
Messages: 2
Registered: June 2011
Junior Member
I have a question about RAP and Cross Side Request Forgery attacks. Does RAP implement any prevention mechanism against such attacks?

I found virtually no information about RAP security neither in the official documentation nor in the internet.

The only reference in RAP 2.2.0 Release Notes:

Quote:

Bug 413668 - Cross Site Request Forgery vulnerability (aka CSRF/XSRF)


There is a reference to Bug 413668, but I get "You are not authorized to access bug #413668." error when trying to view it in Bugzilla.

Can you share some more information about RAP security in case of CSRF attacks?

Thanks in advance

Regards
luke

Report message to a moderator

Re: RAP and Cross Site Request Forgery attacks [message #1482138 is a reply to message #1481881] Fri, 21 November 2014 14:24 Go to previous messageGo to next message
Markus Knauer is currently offline Markus KnauerFriend
Messages: 179
Registered: July 2009
Senior Member
Quote:
There is a reference to Bug 413668, but I get "You are not authorized to access bug #413668." error when trying to view it in Bugzilla.


I've enabled access to the bug report now. It was still hidden because it was a security releated bug, but it should have been made visible after fixing it. You should be able to review the discussion on the bug now.

Regards,
Markus

--

Twitter: @mknauer23 and @EclipseRAP
Blog: http://eclipsesource.com/blogs/

Professional services for RAP and RCP?
http://eclipsesource.com/services/rap/

Report message to a moderator

Re: RAP and Cross Site Request Forgery attacks [message #1485568 is a reply to message #1482138] Mon, 24 November 2014 10:50 Go to previous message
Lukasz Koniecki is currently offline Lukasz KonieckiFriend
Messages: 2
Registered: June 2011
Junior Member
Markus,

Thank's for sharing the bug report.

From what I understand from the bug report RAP only checks in REST services if Content-Type is set to application/json. No Synchronization Token has been implemented.

Is this true both for 2.1 and for 2.2 release? Any plans regarding the token for the 3.0 release?

Regards,
luke

Report message to a moderator

Previous Topic:Custom Widget with Session Timeout
Next Topic:Client error with Browser.execute function
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Fri Sep 20 07:32:25 GMT 2024

Powered by FUDForum. Page generated in 0.04332 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top

Sign up to our Newsletter

A fresh new issue delivered monthly