-
FEATURED COMPONENTS
First time here? Check out the FAQ!
Orignial message at:
https://sourceforge.net/forum/message.php?msg_id=4506978
By: fredjeansun
Is there protection built into the framework to guard against Cross-Site Scripting
(XSS) or Cross-Site Request Forgery (CSRF)? If not, what would be the best approach to add protections against those within ZK?
Fred
Dear Mr. Admin. I saw that ZK claims to be a framework with:
- anti-XSS and anti-DoS protection
- Anti-Malicious JavaScript/SQL Injection
These points can be seen in "RIA/AJAX Framework Evaluation Checklist". Could anyone from ZK explains how these security threats are addressed by ZK framework?
Thank you in advance.
Hello Jumin,
To answer your questions:
Anti-XSS and Anti-malicious JavaScript/SQL Injection protection are provided by our server-centric architecture. In addition to this we have added extra protection to prevent custom JavaScript from activating invisible or disabled components.
With regard to anti-DOS protection we have put in place two mechanisms to prevent a user overloading the server with many requests. By setting the two options “max-desktops-per-session” and “max-requests-per-session” you can limit the number of desktops and requests per session. This will prevent your web server succumbing to a DoS attack. However, please note that targeted DoS attacks from multiple IPs are better handled by the web host.
We put a great amount of emphasis on security and this is reflected by our excellent reputation among security companies. One such example is InfoCert, who deemed a ZK application to be the most secure in the entire company.
Hey j4jpp,
What would you like to test?
Hi tmillsclare,
As you have mentioned that 'Anti-XSS and Anti-malicious JavaScript/SQL Injection protection are provided by our server-centric architecture', I wanted to test all these features. If you can provide some example code then it would be great. e.g. On a textbox of a screen if I enter some SQL input that can turn into a 'SQL Injection' attack. So, wanted to know how ZK will behave in this case. Will ZK throw some exception saying that 'SQL Injection detected' or something else will happen?
Hi PeterKuo,
I understand your point. For the queries posted by jumin above, tmillsclare has replied that required protection is provided by the server-centric architecture. So, I wanted to know & understand how we can test/check these inbuilt protections. From these we can understand what kind of protection is already provided by ZK. If you can guide something on these then it will be helpful.
AFAIK ZK (3.6) is not well protected against CSRF. When I have a disabled or readonly textbox, then the user can very easily change the attributes of the "input" in the browser and change the value on the server side, too. IMHO the server implementation of the InputElement should check if the server has set disabled/readonly property, and if so, prevent the changing the value and log some warning or error. Also, the band/combo box should be strengthened by the similar way against opening the band/combo popup when the band/combo box is disabled/readonly.
Hi all,
Thanks xmedeko for pointing this out. In ZK 5 there is a way to specify a blocking mechanism for this kind of issue, see Security Tips.
If you have a security concern, it is recommended to use ZK 5.
Regards,
Simon
Asked: 2007-09-07 18:42:57 +0800
Seen: 1,932 times
Last updated: Oct 25 '10