Bookmarklets & security issues in J2EE Webapps

[gundam.f0rtre55]

Hi everybody,
for a new release of our J2EE Webapplication, our customer wish to
allow the usage of bookmarklets. The application must be able to
register URLs with several protocol types, one of them is simply
"none", meaning that a user could register something like

"javascript:executeMyMethod();"

My question is about security: how safe/unsafe is the usage of
bookmarklets for a Webapplication? What are the security issues (if
any)? Any example?

I found several webpages that suppose bookmarklets are safe, but I'm
still not convinced...

I appreciate your answerz to my question
Thankx
John

 

[RobG]

Hi everybody,
for a new release of our J2EE Webapplication, our customer wish to
allow the usage of bookmarklets. The application must be able to
register URLs with several protocol types, one of them is simply
"none", meaning that a user could register something like

"javascript:executeMyMethod();"

Which can be done right now by either typing it into the browser's
location field, setting it as the value of an A element's href
attribute or using it as the value of a bookmark's location attribute.
It's called the 'JavaScript pseudo-protocol'.

My question is about security: how safe/unsafe is the usage of
bookmarklets for a Webapplication? What are the security issues (if
any)? Any example?

There are none of any consequence. If it is safe for your clients to
run JavaScript at all, then the pseudo-protocol should not present any
problems.

I found several webpages that suppose bookmarklets are safe, but I'm
still not convinced...

Are you concerned for your clients or yourself on the server?

 

[gundam.f0rtre55]

Hi Rob, thank you very much for replying.
about the safety using bookmarklets (or as you correctly say,
pseudo-protocol), I'm concerned on both issues: for the client and for
the server.

For the client: I don't know if for a "skilled" hacker (inside or
outside our company) it would be possible to steal some kind of
sensitive data using some pseudo-protocol. The client must be
identified, some pages are restricted and need additional
authentication.

For the server: although our server is behind firewalls, proxies,
reverse-proxies, I'm not sure if there could be some tunneling
opportunity for somebody to access some sensitive data.

The usage of Javascript is allowed, but with caution. As far as I am
concerned, I try to use it as less as possible. But the possibility for
somebody to register an URL and giving him the opportunity to insert
some code, reading some form data from an URL, etc. sound too risky to
me. As you understand, I do not have that much experience on this kind
of danger.

Did I give you some more ideas about my problem? Please, let me know
what do you think...

Thanks in advance
John