You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@wicket.apache.org by Andreas Kappler <an...@jato-consulting.de> on 2013/11/25 16:15:31 UTC

CSRF protection by randomizing the page ID

Hi,

I am working on securing a Wicket application against CSRF attacks, 
which are possible because Wicket URLs can be easily guessed by an 
attacker and requests contain no challenge token.

I did my research and found
https://issues.apache.org/jira/browse/WICKET-1782 and
https://issues.apache.org/jira/browse/WICKET-5326 , pointing to using 
CryptMapper to encrypt the request URLs.

However, wouldn't a simpler approach be to randomize the page ID that 
gets inserted into each URL? This way, an attacker can no longer issue 
requests as he cannot guess the URL of the page instance.

The following basic session override does the trick:
public class MySession extends WebSession {
     private final int sessionToken;

     public MySession(Request request) {
         super(request);
         sessionToken = RandomUtils.nextInt();
     }

     @Override
     public synchronized int nextPageId() {
         int num = super.nextPageId();
         return (num + sessionToken) % Integer.MAX_VALUE;
     }
}

However, this seems a little too simple for nobody to have thought of 
that. Do you see any problems with this code, or should this 
successfully protect against CSRF, without causing other issues?

Best regards,
Andreas

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org

Re: CSRF protection by randomizing the page ID

Posted by Martin Grigorov <mg...@apache.org>.

Hi,

There is a (small) chance of clashes with this approach:

1) token = 0 => pageId == num

2) token = Integer.MAX_VALUE => pageId == num

The page id is session relative, so pageId=13 is Page1 for me but could be
Page21 for anyone else.


On Mon, Nov 25, 2013 at 5:15 PM, Andreas Kappler <
andreas.kappler@jato-consulting.de> wrote:

> Hi,
>
> I am working on securing a Wicket application against CSRF attacks, which
> are possible because Wicket URLs can be easily guessed by an attacker and
> requests contain no challenge token.
>
> I did my research and found
> https://issues.apache.org/jira/browse/WICKET-1782 and
> https://issues.apache.org/jira/browse/WICKET-5326 , pointing to using
> CryptMapper to encrypt the request URLs.
>
> However, wouldn't a simpler approach be to randomize the page ID that gets
> inserted into each URL? This way, an attacker can no longer issue requests
> as he cannot guess the URL of the page instance.
>
> The following basic session override does the trick:
> public class MySession extends WebSession {
>     private final int sessionToken;
>
>     public MySession(Request request) {
>         super(request);
>         sessionToken = RandomUtils.nextInt();
>     }
>
>     @Override
>     public synchronized int nextPageId() {
>         int num = super.nextPageId();
>         return (num + sessionToken) % Integer.MAX_VALUE;
>     }
> }
>
> However, this seems a little too simple for nobody to have thought of
> that. Do you see any problems with this code, or should this successfully
> protect against CSRF, without causing other issues?
>
> Best regards,
> Andreas
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>