| Re: [orion-dev] Protection against Java Script Hijacking |
Simon,
A separate security call is certailny a good decision. Security is a system
of connected vessels and involves many, not only development, aspects.
I think a security meeting could help us gather security issues regarding
Orion, brainstorm and set up a plan for the future.
Best regards,
MACIEJ BENDKOWSKI
Software Engineer - Eclipse Orion
Phone: 48-12 6289687 x34819 (Embedded image moved to file:
E-mail: maciej.bendkowski@xxxxxxxxxx pic52807.gif)IBM
From: Simon Kaegi <Simon_Kaegi@xxxxxxxxxx>
To: Orion developer discussions <orion-dev@xxxxxxxxxxx>
Cc: "Podgaetsky, Genady" <genady.podgaetsky@xxxxxxx>, "Sohn,
Matthias" <matthias.sohn@xxxxxxx>
Date: 15-04-2014 06:49
Subject: Re: [orion-dev] Protection against Java Script Hijacking
Sent by: orion-dev-bounces@xxxxxxxxxxx
Hi Matthias,
Thanks for the post. So yes there has been consideration to this type of
attack and related attacks however its naturally a constant effort and we
are always looking for help on pen testing and improving this aspect of
Orion and its architecture.
First, for this specific attack see --
http://stackoverflow.com/questions/16289894/is-json-hijacking-still-an-issue-in-modern-browsers
TLDR; -- modern browsers are no longer vulnerable to this type of attack.
Now, with that said the sorts of protections suggested by the PDF you
linked for CSRF are still very relevant to Orion. Vulnerable plugins really
should use CSRF tokens for server communication. In addition I think we
should build similar protections directly into the plugin registry <->
plugin communication and it would be great to make some progress on this
for June.
To everyone...
I know this a topic a few of the other committers are deeply interested in
and if it would be helpful I could host a call to talk about this stuff.
What do you think?
-Simon
(Embedded image moved to file: pic18445.gif)Inactive hide details for
"Schmalz, Matthias" ---04/14/2014 03:02:17 AM---Hi All, currently we are
doing some security consider"Schmalz, Matthias" ---04/14/2014 03:02:17
AM---Hi All, currently we are doing some security considerations for the
usage of Orion.
(Embedded (Embedded image moved to file: pic38948.gif)
image moved "Schmalz, Matthias" <matthias.schmalz@xxxxxxx>
to file:
pic15900.gif
)
From:
(Embedded (Embedded image moved to file: pic20944.gif)
image moved Orion developer discussions <orion-dev@xxxxxxxxxxx>,
to file:
pic26587.gif
)
To:
(Embedded (Embedded image moved to file: pic33928.gif)
image moved "Podgaetsky, Genady" <genady.podgaetsky@xxxxxxx>, "Sohn,
to file: Matthias" <matthias.sohn@xxxxxxx>
pic29843.gif
)
Cc:
(Embedded (Embedded image moved to file: pic50795.gif)
image moved 04/14/2014 03:02 AM
to file:
pic65289.gif
)
Date:
(Embedded (Embedded image moved to file: pic09227.gif)
image moved [orion-dev] Protection against Java Script Hijacking
to file:
pic13371.gif
)
Subjec
t:
(Embedded (Embedded image moved to file: pic49203.gif)
image moved orion-dev-bounces@xxxxxxxxxxx
to file:
pic58029.gif
)
Sent
by:
Hi All,
currently we are doing some security considerations for the usage of Orion.
One topic, that came up here, is the protection against Java script
hijacking (see http://capec.mitre.org/data/definitions/111.html or
http://www.net-security.org/dl/articles/JavaScript_Hijacking.pdf).
Have there already been any considerations about the relevance of this
attack for Orion? Are there any plans to implement a protection?
An example for an attack target could be the user preference store which
contains the user’s e-mail address, full name and login user.
Best regards
Matthias Schmalz
_______________________________________________
orion-dev mailing list
orion-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/orion-dev
_______________________________________________
orion-dev mailing list
orion-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/orion-dev
Attachment:
pic52807.gif
Description: GIF image
Attachment:
pic18445.gif
Description: GIF image
Attachment:
pic15900.gif
Description: GIF image
Attachment:
pic38948.gif
Description: GIF image
Attachment:
pic26587.gif
Description: GIF image
Attachment:
pic20944.gif
Description: GIF image
Attachment:
pic29843.gif
Description: GIF image
Attachment:
pic33928.gif
Description: GIF image
Attachment:
pic65289.gif
Description: GIF image
Attachment:
pic50795.gif
Description: GIF image
Attachment:
pic13371.gif
Description: GIF image
Attachment:
pic09227.gif
Description: GIF image
Attachment:
pic58029.gif
Description: GIF image
Attachment:
pic49203.gif
Description: GIF image
