473,325 Members | 2,785 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,325 software developers and data experts.

Bookmarklets & security issues in J2EE Webapps

Hi everybody,
for a new release of our J2EE Webapplication, our customer wish to
allow the usage of bookmarklets. The application must be able to
register URLs with several protocol types, one of them is simply
"none", meaning that a user could register something like

"javascript:executeMyMethod();"

My question is about security: how safe/unsafe is the usage of
bookmarklets for a Webapplication? What are the security issues (if
any)? Any example?

I found several webpages that suppose bookmarklets are safe, but I'm
still not convinced...

I appreciate your answerz to my question
Thankx
John

Jul 18 '06 #1
2 1508

gu*************@freesurf.ch wrote:
Hi everybody,
for a new release of our J2EE Webapplication, our customer wish to
allow the usage of bookmarklets. The application must be able to
register URLs with several protocol types, one of them is simply
"none", meaning that a user could register something like

"javascript:executeMyMethod();"
Which can be done right now by either typing it into the browser's
location field, setting it as the value of an A element's href
attribute or using it as the value of a bookmark's location attribute.
It's called the 'JavaScript pseudo-protocol'.

My question is about security: how safe/unsafe is the usage of
bookmarklets for a Webapplication? What are the security issues (if
any)? Any example?
There are none of any consequence. If it is safe for your clients to
run JavaScript at all, then the pseudo-protocol should not present any
problems.

I found several webpages that suppose bookmarklets are safe, but I'm
still not convinced...
Are you concerned for your clients or yourself on the server?
--
Rob

Jul 18 '06 #2
Hi Rob, thank you very much for replying.
about the safety using bookmarklets (or as you correctly say,
pseudo-protocol), I'm concerned on both issues: for the client and for
the server.

For the client: I don't know if for a "skilled" hacker (inside or
outside our company) it would be possible to steal some kind of
sensitive data using some pseudo-protocol. The client must be
identified, some pages are restricted and need additional
authentication.

For the server: although our server is behind firewalls, proxies,
reverse-proxies, I'm not sure if there could be some tunneling
opportunity for somebody to access some sensitive data.

The usage of Javascript is allowed, but with caution. As far as I am
concerned, I try to use it as less as possible. But the possibility for
somebody to register an URL and giving him the opportunity to insert
some code, reading some form data from an URL, etc. sound too risky to
me. As you understand, I do not have that much experience on this kind
of danger.

Did I give you some more ideas about my problem? Please, let me know
what do you think...

Thanks in advance
John

RobG wrote:
gu*************@freesurf.ch wrote:
Hi everybody,
for a new release of our J2EE Webapplication, our customer wish to
allow the usage of bookmarklets. The application must be able to
register URLs with several protocol types, one of them is simply
"none", meaning that a user could register something like

"javascript:executeMyMethod();"

Which can be done right now by either typing it into the browser's
location field, setting it as the value of an A element's href
attribute or using it as the value of a bookmark's location attribute.
It's called the 'JavaScript pseudo-protocol'.

My question is about security: how safe/unsafe is the usage of
bookmarklets for a Webapplication? What are the security issues (if
any)? Any example?

There are none of any consequence. If it is safe for your clients to
run JavaScript at all, then the pseudo-protocol should not present any
problems.

I found several webpages that suppose bookmarklets are safe, but I'm
still not convinced...

Are you concerned for your clients or yourself on the server?
--
Rob
Jul 19 '06 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
by: Brand-X | last post by:
I'm just wondering about the best way to setup permissions on a website with a php editor which modifies the html files for the user depending on the input from forms. It seems that the .html pages...
0
by: Kevin Sagon | last post by:
I am running a J2EE Web App under Tomcat 4.1 with Apache 2.0 proxying requests. Everything is configured and working appropriately however I ran into a problem after configuring J2EE Form...
2
by: Anakim Border | last post by:
App servers such as quixote, webware and skunkweb (just to name a few) offer a clean environment to develop Python webapps. I have some problems, however, understanding their security model. My...
30
by: Kong Bhat | last post by:
With XML becoming the de facto data description standard, I am extremely surprised that there is no movement towards standardizing an xml library API for use with C and C++. Personally I have been...
1
by: Megan | last post by:
quick summary: i'm having problems trying to group fields in a report in order to calculate percentages. to calculate percentages, i'm comparing the results from my grouped fields to the totals....
1
by: Sam Vanderstraeten | last post by:
Hi all, My situation: - VB.net & Visual Studio 2002 - IIS 6.0 - Windows XP Pro (development) and Windows 2000 server (release) I created a test-application (before I started to develop the...
0
by: Ken North | last post by:
Microsoft's Dan Rogers will be one of the panel members in an important discussion of Web services security. On August 10, the San Diego Software Industry Council (SDSIC) is sponsoring a panel...
1
by: Swathika | last post by:
Hi, Sometimes, you never get chance to learn 'Advanced Design Concepts and Real-time Scenarios' from institutes or through book-learning. But, in my blog, I have gathered some of the amazing...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.