Tuesday, 10 July 2007

Sidebar Gadget Security: Inspect Your Gadget

Michael Howard has written up some guidance on how to develop secure Vista Sidebar Gadgets:

http://msdn2.microsoft.com/en-us/library/bb498012.aspx

Take some time to check this out if you're writing a Sidebar Gadget that touches data from a remote source.

Review a Gadget for Security Bugs

As a first order analysis, the following should be carefully reviewed to make sure they are not introducing security bugs.

  • Verify that all innerHtml constructs render only trusted or sanitized data.
    You can use the innerText property to add untrusted data into the DOM safely.
  • Verify that all document.write method calls render only trusted or sanitized data.
    Again, use the innerText property to add untrusted data into the DOM safely.
  • Verify that all calls into the Gadget object model or ActiveX controls instantiated in the Gadget pass validated data. As an example, be careful when calling System.Sidebar.Execute.
  • Verify that all calls to eval() pass validated data.
  • Verify that all ActiveX controls used by the Gadget are secure (no buffer overruns, integer overruns, and such).

1 comment:

Abhishek Krishnan said...

Hi, your blog seems to be really nice!! Are you interested in exchanging links? My blog is at http://changingtechnology.blogspot.com/ and it’s about the latest gadgets and the technology used. Do let me know if you are interested. I too will put up a link to your blog on mine. Thanks.