You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "Johan Compagner (JIRA)" <ji...@apache.org> on 2008/08/08 14:01:44 UTC

[jira] Commented: (WICKET-1782) Protection against CSRF (cross-site request forgery) attacks

    [ https://issues.apache.org/jira/browse/WICKET-1782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12620920#action_12620920 ] 

Johan Compagner commented on WICKET-1782:
-----------------------------------------

about 1: 
include a random token in each url that wicket generates?
is then only 1 token valid for 1 request?
That will not work for wicket. because of partial ajax updates of subsets of the pages then we have urls with token Y  and with token Y+1 one 1 page and both urls old and new onces have to work fine.


> Protection against CSRF (cross-site request forgery) attacks
> ------------------------------------------------------------
>
>                 Key: WICKET-1782
>                 URL: https://issues.apache.org/jira/browse/WICKET-1782
>             Project: Wicket
>          Issue Type: Improvement
>          Components: wicket
>    Affects Versions: 1.3.4
>            Reporter: Gorka Vicente
>
> Currently Wicket doesn't include a uniform and automatic solution against CRSF vulnerability or OWASP-A5 vulnerability [1].
> In order to solve CSRF is necessary to avoid static HTML and create dynamic or aleatory HTML per user.
> Two posible solutions:
> 1. Include a random token (aleatory parameter) to each url (link or form). The name and the value of this parameter can be the same per user or change per request (more secure but perform worse). It seems that can be implemented creating other implementation of IRequestCodingStrategy  interface.
> 2. Encrypt all urls (links and form urls) using "Request Coding Strategy" strategy offered currently by wicket (CryptedUrlWebRequestCodingStrategy).  Provide a security factory to use a different key per user or add some aleatory data to encrypted data (for example user jessionid). (SunJceCrypt, bundled in Wicket, is vulnerable to CSRF because obtained encrypted string is the same for all the users)
> [1] http://www.owasp.org/index.php/Top_10_2007-A5

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.