search

traccar / traccar-client-android

Traccar Client for Android
https://www.traccar.org/client
Apache License 2.0
665 stars 736 forks source link

Spoofing and leakage protection #185

Open kkar opened 8 years ago

kkar commented 8 years ago

Is there a way to avoid third party spoofing -for example, network sniffing and replaying the GET requests with different lat / long values? And... how secure is Traccar against known attacks such as SQL Injections, XSS etc, to avoid position leaks?

Thank you!

tananaev commented 8 years ago

There is no protection against spoofing at the moment.

As for Traccar server security:

  1. SQL injections are not a problem because Traccar properly uses parametrized queries
  2. XSS does not apply because it's not possible to add any dynamic content
kkar commented 8 years ago

How about persistent XSS (via the Control panel's fields -or- via GET requests of lat & long values)? Thank you so much for the answer.

tananaev commented 8 years ago

It's impossible to inject any dynamic code into any of the values.