Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [orion-dev] Protection against Java Script Hijacking

Hi Matthias,

Thanks for the post. So yes there has been consideration to this type of attack and related attacks however its naturally a constant effort and we are always looking for help on pen testing and improving this aspect of Orion and its architecture.
First, for this specific attack see -- http://stackoverflow.com/questions/16289894/is-json-hijacking-still-an-issue-in-modern-browsers
TLDR; -- modern browsers are no longer vulnerable to this type of attack.

Now, with that said the sorts of protections suggested by the PDF you linked for CSRF are still very relevant to Orion. Vulnerable plugins really should use CSRF tokens for server communication. In addition I think we should build similar protections directly into the plugin registry <-> plugin communication and it would be great to make some progress on this for June.

To everyone...
I know this a topic a few of the other committers are deeply interested in and if it would be helpful I could host a call to talk about this stuff. What do you think?

-Simon

Inactive hide details for "Schmalz, Matthias" ---04/14/2014 03:02:17 AM---Hi All, currently we are doing some security consider"Schmalz, Matthias" ---04/14/2014 03:02:17 AM---Hi All, currently we are doing some security considerations for the usage of Orion.


    From:

"Schmalz, Matthias" <matthias.schmalz@xxxxxxx>

    To:

Orion developer discussions <orion-dev@xxxxxxxxxxx>,

    Cc:

"Podgaetsky, Genady" <genady.podgaetsky@xxxxxxx>, "Sohn, Matthias" <matthias.sohn@xxxxxxx>

    Date:

04/14/2014 03:02 AM

    Subject:

[orion-dev] Protection against _javascript_ Hijacking

    Sent by:

orion-dev-bounces@xxxxxxxxxxx




Hi All,
 
currently we are doing some security considerations for the usage of Orion.
One topic, that came up here, is the protection against _javascript_ hijacking (see http://capec.mitre.org/data/definitions/111.html or http://www.net-security.org/dl/articles/_javascript__Hijacking.pdf).
Have there already been any considerations about the relevance of this attack for Orion? Are there any plans to implement a protection?
An example for an attack target could be the user preference store which contains the user’s e-mail address, full name and login user.
 
Best regards
Matthias Schmalz
 _______________________________________________
orion-dev mailing list
orion-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/orion-dev


GIF image

GIF image


Back to the top