I got a request today to
verify that the Drools JBRMS is not vulnerable to "JavaScript Hijacking" - a
term coined by Fortify Software in an article in March 2007 where they note that
GWT is vulnerable to JavaScript Hijacking if some default behaviors are changed.
Based on the research I've
done so far, I don't think this is the case, but am posting to the list to see
if someone more knowledgeable on the JBRMS than myself (wouldn't take much) has
considered this issue.
Here's why I don't think the
JBRMS is vulnerable:
1. The Fortify
Software article says you need to use HTTP GET requests to be vulnerable.
GWT's default behavior is to use HTTP POST requests, and I only found POST
requests in the GWT-compiler-generated HTML files for version
4.0.4.
I'm posting to the list
because I didn't see any drools-jbrms JIRA issues regarding
security.
Thanks,
Dave
Warren