Recent Changes - Search:

edit SideBar



Tutorial Considerations

The browser tutorial allows the user to type in accessor code and then instantiate this accessor. This brings up security concerns.

Generally, we want to prevent:

  • Attacks on the accessors repo server.
  • Attackers turning the tutorial page into a data harvester (by redirecting users to the tutorial and implementing data-stealing code).
  • Attackers using the tutorial page to create a virus (for example, a Denial of Service accessor).

Relevant concerns from from

  • Data structure attacks
    • Buffer overflow: Create an excessively long data structure.
  • Malicious code
    • Data-sending Trojan horse: Read information from user's machine and send to attacker.
  • Injection
    • Code injection: Take advantage of allowed characters, data format, or data amount to run code on system.
    • Comment injection: Comment out the whole page using <!-- .
    • Cross-site scripting (XSS): Load malicious code from external resources.
    • Regular expression DoS: Create a very slowly evaluating regular expression.
    • Server-side includes injection: Take advantage of <!-- to inject commands.
  • Path traversal attacks
    • Access unauthorized resources: Manipulate the path to access server data; e.g., by using ../ in the URL.
  • Probabilistic techniques
    • Denial of service: Overwhelm a server with requests.


  • Whitelist characters. (Code injection)
  • Prohibit looping constructs such as for, forEach, and while. (Buffer overflow)
  • Prohibit HTML-style comments (Comment injection, Server-side includes injection)
  • Restrict or prohibit REST accessor (XSS, DoS)
  • Prohibit calls to window or document object (Data-sending Trojan horse)
  • Prohibit regular expressions (Regular expression DoS)
  • Prohibit access to files outside of accessor repo (Unauthorized resources). This applies to all accessor pages.

See Also

Edit - History - Print - Recent Changes - Search
Page last modified on April 13, 2017, at 10:18 PM