Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [orion-dev] Protection against Java Script Hijacking

Simon,

A separate security call is certailny a good decision. Security is a system
of connected vessels and involves many, not only development, aspects.
I think a security meeting could help us gather security issues regarding
Orion, brainstorm and set up a plan for the future.

Best regards,

MACIEJ BENDKOWSKI
Software Engineer - Eclipse Orion
                                                                                    
                                                                                    
                                                                                    
 Phone: 48-12 6289687 x34819                         (Embedded image moved to file: 
 E-mail: maciej.bendkowski@xxxxxxxxxx                              pic52807.gif)IBM 
                                                                                    
                                                                                    





From:	Simon Kaegi <Simon_Kaegi@xxxxxxxxxx>
To:	Orion developer discussions <orion-dev@xxxxxxxxxxx>
Cc:	"Podgaetsky, Genady" <genady.podgaetsky@xxxxxxx>, "Sohn,
            Matthias" <matthias.sohn@xxxxxxx>
Date:	15-04-2014 06:49
Subject:	Re: [orion-dev] Protection against Java Script Hijacking
Sent by:	orion-dev-bounces@xxxxxxxxxxx



Hi Matthias,

Thanks for the post. So yes there has been consideration to this type of
attack and related attacks however its naturally a constant effort and we
are always looking for help on pen testing and improving this aspect of
Orion and its architecture.
First, for this specific attack see --
http://stackoverflow.com/questions/16289894/is-json-hijacking-still-an-issue-in-modern-browsers

TLDR; -- modern browsers are no longer vulnerable to this type of attack.

Now, with that said the sorts of protections suggested by the PDF you
linked for CSRF are still very relevant to Orion. Vulnerable plugins really
should use CSRF tokens for server communication. In addition I think we
should build similar protections directly into the plugin registry <->
plugin communication and it would be great to make some progress on this
for June.

To everyone...
I know this a topic a few of the other committers are deeply interested in
and if it would be helpful I could host a call to talk about this stuff.
What do you think?

-Simon

(Embedded image moved to file: pic18445.gif)Inactive hide details for
"Schmalz, Matthias" ---04/14/2014 03:02:17 AM---Hi All, currently we are
doing some security consider"Schmalz, Matthias" ---04/14/2014 03:02:17
AM---Hi All, currently we are doing some security considerations for the
usage of Orion.
                                                                           
 (Embedded    (Embedded image moved to file: pic38948.gif)                 
 image moved  "Schmalz, Matthias" <matthias.schmalz@xxxxxxx>               
 to file:                                                                  
 pic15900.gif                                                              
 )                                                                         
       From:                                                               
                                                                           
 (Embedded    (Embedded image moved to file: pic20944.gif)                 
 image moved  Orion developer discussions <orion-dev@xxxxxxxxxxx>,         
 to file:                                                                  
 pic26587.gif                                                              
 )                                                                         
       To:                                                                 
                                                                           
 (Embedded    (Embedded image moved to file: pic33928.gif)                 
 image moved  "Podgaetsky, Genady" <genady.podgaetsky@xxxxxxx>, "Sohn,     
 to file:     Matthias" <matthias.sohn@xxxxxxx>                            
 pic29843.gif                                                              
 )                                                                         
       Cc:                                                                 
                                                                           
 (Embedded    (Embedded image moved to file: pic50795.gif)                 
 image moved  04/14/2014 03:02 AM                                          
 to file:                                                                  
 pic65289.gif                                                              
 )                                                                         
       Date:                                                               
                                                                           
 (Embedded    (Embedded image moved to file: pic09227.gif)                 
 image moved  [orion-dev] Protection against Java Script Hijacking         
 to file:                                                                  
 pic13371.gif                                                              
 )                                                                         
       Subjec                                                              
       t:                                                                  
                                                                           
 (Embedded    (Embedded image moved to file: pic49203.gif)                 
 image moved  orion-dev-bounces@xxxxxxxxxxx                                
 to file:                                                                  
 pic58029.gif                                                              
 )                                                                         
       Sent                                                                
       by:                                                                 
                                                                           





Hi All,

currently we are doing some security considerations for the usage of Orion.
One topic, that came up here, is the protection against Java script
hijacking (see http://capec.mitre.org/data/definitions/111.html or
http://www.net-security.org/dl/articles/JavaScript_Hijacking.pdf).
Have there already been any considerations about the relevance of this
attack for Orion? Are there any plans to implement a protection?
An example for an attack target could be the user preference store which
contains the user’s e-mail address, full name and login user.

Best regards
Matthias Schmalz
 _______________________________________________
orion-dev mailing list
orion-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/orion-dev

_______________________________________________
orion-dev mailing list
orion-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/orion-dev

Attachment: pic52807.gif
Description: GIF image

Attachment: pic18445.gif
Description: GIF image

Attachment: pic15900.gif
Description: GIF image

Attachment: pic38948.gif
Description: GIF image

Attachment: pic26587.gif
Description: GIF image

Attachment: pic20944.gif
Description: GIF image

Attachment: pic29843.gif
Description: GIF image

Attachment: pic33928.gif
Description: GIF image

Attachment: pic65289.gif
Description: GIF image

Attachment: pic50795.gif
Description: GIF image

Attachment: pic13371.gif
Description: GIF image

Attachment: pic09227.gif
Description: GIF image

Attachment: pic58029.gif
Description: GIF image

Attachment: pic49203.gif
Description: GIF image


Back to the top