Data Leaks

Data leaks can result from incorrectly specified cookies, unverified client input, and verbose error messages.

Browsers implement a single-origin policy which prevents script in an IFRAME from accessing its containing document, and prevents scripts from making cross-domain requests using XmlHTTPRequest. This effectively prevents a malicious script from reading content from another site.

However, <script> tags are not subjected to the same-origin policy. If a resource that is attacked by a malicious script returns valid JavaScript (as is the case with the JSON format used by Uniface), the malicious script could insert a <script> tag to perform the attack.

Uniface protects against this particular type of attack by only allowing POST requests to JSON resources. Since script tags always use GET, this effectively prevents data leaks through cross-site request forgery.

However, data can be leaked in other ways.

Defense

To prevent data leaks:

Ensure that the domain and path are correctly specified in cookies. Cookies can leak to other sites or less secure web applications in your domain if the domain and path are not properly specified, resulting in the cookie intended for your application being unintentionally sent to a subdomain.
Do not generate an HTML document or error page with unprocessed client input in it. For example, to prevent <script> insertion using a GET method, translate the angle bracket < in the $webinfo("INPUT") to the XML entity < before adding it to the output page or raw HTML field. Otherwise, the browser will execute the script tag when processing the HTML document.
Verify unprocessed client input before using it to create a hyperlink.
Minimize the information on error pages to prevent someone gathering details about your application and server environment. Instead, write detailed information to an application log file and report less detail, with a reference to the entry in the log file, to the user. For more information, see Web Application Error Pages.