You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Andreas Kappler <an...@jato-consulting.de> on 2013/11/25 16:15:31 UTC
CSRF protection by randomizing the page ID
Hi,
I am working on securing a Wicket application against CSRF attacks,
which are possible because Wicket URLs can be easily guessed by an
attacker and requests contain no challenge token.
I did my research and found
https://issues.apache.org/jira/browse/WICKET-1782 and
https://issues.apache.org/jira/browse/WICKET-5326 , pointing to using
CryptMapper to encrypt the request URLs.
However, wouldn't a simpler approach be to randomize the page ID that
gets inserted into each URL? This way, an attacker can no longer issue
requests as he cannot guess the URL of the page instance.
The following basic session override does the trick:
public class MySession extends WebSession {
private final int sessionToken;
public MySession(Request request) {
super(request);
sessionToken = RandomUtils.nextInt();
}
@Override
public synchronized int nextPageId() {
int num = super.nextPageId();
return (num + sessionToken) % Integer.MAX_VALUE;
}
}
However, this seems a little too simple for nobody to have thought of
that. Do you see any problems with this code, or should this
successfully protect against CSRF, without causing other issues?
Best regards,
Andreas
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: CSRF protection by randomizing the page ID
Posted by Martin Grigorov <mg...@apache.org>.
Hi,
There is a (small) chance of clashes with this approach:
1) token = 0 => pageId == num
2) token = Integer.MAX_VALUE => pageId == num
The page id is session relative, so pageId=13 is Page1 for me but could be
Page21 for anyone else.
On Mon, Nov 25, 2013 at 5:15 PM, Andreas Kappler <
andreas.kappler@jato-consulting.de> wrote:
> Hi,
>
> I am working on securing a Wicket application against CSRF attacks, which
> are possible because Wicket URLs can be easily guessed by an attacker and
> requests contain no challenge token.
>
> I did my research and found
> https://issues.apache.org/jira/browse/WICKET-1782 and
> https://issues.apache.org/jira/browse/WICKET-5326 , pointing to using
> CryptMapper to encrypt the request URLs.
>
> However, wouldn't a simpler approach be to randomize the page ID that gets
> inserted into each URL? This way, an attacker can no longer issue requests
> as he cannot guess the URL of the page instance.
>
> The following basic session override does the trick:
> public class MySession extends WebSession {
> private final int sessionToken;
>
> public MySession(Request request) {
> super(request);
> sessionToken = RandomUtils.nextInt();
> }
>
> @Override
> public synchronized int nextPageId() {
> int num = super.nextPageId();
> return (num + sessionToken) % Integer.MAX_VALUE;
> }
> }
>
> However, this seems a little too simple for nobody to have thought of
> that. Do you see any problems with this code, or should this successfully
> protect against CSRF, without causing other issues?
>
> Best regards,
> Andreas
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>