[rules-dev] Drools JBRMS vulnerability to "JavaScript Hijacking" (or hopefully lack of thereof)
Warren, David [USA]
warren_david at bah.com
Fri Feb 29 16:37:17 EST 2008
I got a request today to verify that the Drools JBRMS is not vulnerable
to "JavaScript Hijacking" - a term coined by Fortify Software in an
article in March 2007 where they note that GWT is vulnerable to
JavaScript Hijacking if some default behaviors are changed.
Based on the research I've done so far, I don't think this is the case,
but am posting to the list to see if someone more knowledgeable on the
JBRMS than myself (wouldn't take much) has considered this issue.
Here's why I don't think the JBRMS is vulnerable:
1. The Fortify Software article says you need to use HTTP GET requests
to be vulnerable. GWT's default behavior is to use HTTP POST requests,
and I only found POST requests in the GWT-compiler-generated HTML files
for version 4.0.4.
2. The Fortify Software article says you can be vulnerable if you use
JSON. I don't see any instances of JSON in the JBRMS source code - as
best as I can tell from Google's GWT documentation, you would use their
JSONParser class if you were doing
this(http://groups.google.com/group/Google-Web-Toolkit/web/security-for-
gwt-applications
<http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gwt-
applications> ).
I'm posting to the list because I didn't see any drools-jbrms JIRA
issues regarding security.
Thanks,
Dave Warren
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/rules-dev/attachments/20080229/b754f256/attachment.html
More information about the rules-dev
mailing list