You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "Igor Vaynberg (JIRA)" <ji...@apache.org> on 2008/08/09 00:16:44 UTC

[jira] Resolved: (WICKET-1782) Protection against CSRF (cross-site request forgery) attacks

     [ https://issues.apache.org/jira/browse/WICKET-1782?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Igor Vaynberg resolved WICKET-1782.
-----------------------------------

       Resolution: Fixed
    Fix Version/s: 1.4-M4
                   1.3.5

the default crypt factory is now KeyInSessionSunJceCryptFactory which uses a randomly generated encryption key stored in httpsession.

> Protection against CSRF (cross-site request forgery) attacks
> ------------------------------------------------------------
>
>                 Key: WICKET-1782
>                 URL: https://issues.apache.org/jira/browse/WICKET-1782
>             Project: Wicket
>          Issue Type: Improvement
>          Components: wicket
>    Affects Versions: 1.3.4
>            Reporter: Gorka Vicente
>            Assignee: Igor Vaynberg
>             Fix For: 1.3.5, 1.4-M4
>
>
> Currently Wicket doesn't include a uniform and automatic solution against CRSF vulnerability or OWASP-A5 vulnerability [1].
> In order to solve CSRF is necessary to avoid static HTML and create dynamic or aleatory HTML per user.
> Two posible solutions:
> 1. Include a random token (aleatory parameter) to each url (link or form). The name and the value of this parameter can be the same per user or change per request (more secure but perform worse). It seems that can be implemented creating other implementation of IRequestCodingStrategy  interface.
> 2. Encrypt all urls (links and form urls) using "Request Coding Strategy" strategy offered currently by wicket (CryptedUrlWebRequestCodingStrategy).  Provide a security factory to use a different key per user or add some aleatory data to encrypted data (for example user jessionid). (SunJceCrypt, bundled in Wicket, is vulnerable to CSRF because obtained encrypted string is the same for all the users)
> [1] http://www.owasp.org/index.php/Top_10_2007-A5

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.