0

CSRF and XSS Security

asked 2007-09-07 18:42:57 +0800

admin gravatar image admin
18691 1 10 129
ZK Team


Orignial message at:
https://sourceforge.net/forum/message.php?msg_id=4506978

By: fredjeansun

Is there protection built into the framework to guard against Cross-Site Scripting
(XSS) or Cross-Site Request Forgery (CSRF)? If not, what would be the best approach to add protections against those within ZK?

Fred

delete flag offensive retag edit

17 Replies

Sort by » oldest newest

answered 2010-01-12 06:59:45 +0800

jumin gravatar image jumin
12

Dear Mr. Admin. I saw that ZK claims to be a framework with:
- anti-XSS and anti-DoS protection
- Anti-Malicious JavaScript/SQL Injection
These points can be seen in "RIA/AJAX Framework Evaluation Checklist". Could anyone from ZK explains how these security threats are addressed by ZK framework?

Thank you in advance.

link publish delete flag offensive edit

answered 2010-01-18 01:35:46 +0800

tmillsclare gravatar image tmillsclare
799 2 5 29

Hello Jumin,

To answer your questions:

Anti-XSS and Anti-malicious JavaScript/SQL Injection protection are provided by our server-centric architecture. In addition to this we have added extra protection to prevent custom JavaScript from activating invisible or disabled components.

With regard to anti-DOS protection we have put in place two mechanisms to prevent a user overloading the server with many requests. By setting the two options “max-desktops-per-session” and “max-requests-per-session” you can limit the number of desktops and requests per session. This will prevent your web server succumbing to a DoS attack. However, please note that targeted DoS attacks from multiple IPs are better handled by the web host.

We put a great amount of emphasis on security and this is reflected by our excellent reputation among security companies. One such example is InfoCert, who deemed a ZK application to be the most secure in the entire company.

link publish delete flag offensive edit

answered 2010-03-05 05:21:41 +0800

j4jpp gravatar image j4jpp
15

Hi tmillsclare,

Can you guide how we can test it within our ZK application? Does ZK throws any exception when such condition is encountered?

link publish delete flag offensive edit

answered 2010-03-12 01:52:48 +0800

tmillsclare gravatar image tmillsclare
799 2 5 29

Hey j4jpp,

What would you like to test?

link publish delete flag offensive edit

answered 2010-03-17 13:13:16 +0800

j4jpp gravatar image j4jpp
15

Hi tmillsclare,

As you have mentioned that 'Anti-XSS and Anti-malicious JavaScript/SQL Injection protection are provided by our server-centric architecture', I wanted to test all these features. If you can provide some example code then it would be great. e.g. On a textbox of a screen if I enter some SQL input that can turn into a 'SQL Injection' attack. So, wanted to know how ZK will behave in this case. Will ZK throw some exception saying that 'SQL Injection detected' or something else will happen?

link publish delete flag offensive edit

answered 2010-03-18 02:59:14 +0800

PeterKuo gravatar image PeterKuo
481 2

What you input through textbox will be treated as pure string.
It won't execute sql unless you told it so.

link publish delete flag offensive edit

answered 2010-04-03 06:04:40 +0800

j4jpp gravatar image j4jpp
15

Hi PeterKuo,

I understand your point. For the queries posted by jumin above, tmillsclare has replied that required protection is provided by the server-centric architecture. So, I wanted to know & understand how we can test/check these inbuilt protections. From these we can understand what kind of protection is already provided by ZK. If you can guide something on these then it will be helpful.

link publish delete flag offensive edit

answered 2010-06-23 15:20:34 +0800

itlogo gravatar image itlogo
3

Bumping this thread. Are there any details about how the "server-centric" architecture protects applications against xss or csrf? Without any details, we have to assume that there aren't any precautions in place.

link publish delete flag offensive edit

answered 2010-07-20 13:36:46 +0800

xmedeko gravatar image xmedeko
1021 1 16
http://xmedeko.blogspot.c...

AFAIK ZK (3.6) is not well protected against CSRF. When I have a disabled or readonly textbox, then the user can very easily change the attributes of the "input" in the browser and change the value on the server side, too. IMHO the server implementation of the InputElement should check if the server has set disabled/readonly property, and if so, prevent the changing the value and log some warning or error. Also, the band/combo box should be strengthened by the similar way against opening the band/combo popup when the band/combo box is disabled/readonly.

link publish delete flag offensive edit

answered 2010-07-20 20:53:53 +0800

SimonPai gravatar image SimonPai
1696 1

Hi all,

Thanks xmedeko for pointing this out. In ZK 5 there is a way to specify a blocking mechanism for this kind of issue, see Security Tips.
If you have a security concern, it is recommended to use ZK 5.

Regards,
Simon

link publish delete flag offensive edit
Your reply
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools

Follow

RSS

Stats

Asked: 2007-09-07 18:42:57 +0800

Seen: 1,929 times

Last updated: Oct 25 '10

Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More