I got a request today to verify that the Drools JBRMS is not vulnerable to "JavaScript Hijacking" - a term coined by Fortify Software in an article in March 2007 where they note that GWT is vulnerable to JavaScript Hijacking if some default behaviors are changed.

Based on the research I've done so far, I don't think this is the case, but am posting to the list to see if someone more knowledgeable on the JBRMS than myself (wouldn't take much) has considered this issue.

Here's why I don't think the JBRMS is vulnerable:

1. The Fortify Software article says you need to use HTTP GET requests to be vulnerable. GWT's default behavior is to use HTTP POST requests, and I only found POST requests in the GWT-compiler-generated HTML files for version 4.0.4.

2. The Fortify Software article says you can be vulnerable if you use JSON. I don't see any instances of JSON in the JBRMS source code - as best as I can tell from Google's GWT documentation, you would use their JSONParser class if you were doing this(http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gwt-applications).

I'm posting to the list because I didn't see any drools-jbrms JIRA issues regarding security.

Thanks,

Dave Warren