Preventing client-side security threats

Unfortunately, the technologies that provide a richer interactive experience can also make applications less secure. Rich UI applications are susceptible to the security vulnerabilities that threaten any Web 2.0 applications including cross-site scripting, SQL injection, and JavaScript™ hijacking.

When you use EGL, you are protected from some of these client-side threats. For example, EGL prevents malicious data being sent to the client using either JavaScript Object Notation (JSON) or XML. It also guards its usage of "eval" in runtime code. However, it is very difficult for EGL to defend against certain types of attacks like cross-site scripting and SQL injection without limiting the types of applications customers can write.

You can prevent unauthenticated clients from calling the proxy and reduce the possibility of proxy misuse by securing the EGL Rich UI Proxy with JEE security. However, securing the proxy with JEE security does not prevent authenticated users from using the proxy for unintended purposes. The more tightly your user registry is controlled, the safer your proxy will be. Therefore, for security reasons, a system administrator should control the access of your user registry.

You can keep a log of the end users who have accessed your Rich UI application if you are using your own login screen, rather than one supplied through JEE form-based authentication or the browser-provided login dialog from JEE basic authentication. (In your Rich UI application, you cannot retrieve user ids from the application server if you are using JEE security.) This log could help you determine the guilty party if an authenticated user is illegally using your EGL Rich UI Proxy for anything from calling Web services on other domains to instigating JavaScript hijacking attacks. Also check the documentation of your application server to see if it maintains logs that might be of help to you.


Feedback