You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tapestry.apache.org by dh ning <ni...@gmail.com> on 2009/03/07 20:09:25 UTC

T5: Critial security of t:formdata

Hi,

These days I always think of security of t:formdata, just now I have a test
to hack the t:formdata and find there is some serious damages.

1. First I change source code of Form component and store a component action
in Form and build my own tapestry-core.jar.
    static final ComponentAction<Form> TEST_ACTION = new
ComponentAction<Form>()
    {
      private static final long serialVersionUID = 0L;

      public void execute(Form component)
        {
            for (int i = 0; i < 1000; i++) {
             System.out.println("-----run " + i);
            }
        }

        @Override
        public String toString()
        {
            return "TEST_ACTION";
        }
    };

2. Jetty:run the application with my own jar and access one page
(/login) that contains form, then get the t:formdata from html source code.
3. Revert offical jar, and new a AbstractIntegrationTestSuite test case:
        open("login");
        type("t:formdata", copy the form data from 2nd);
        clickAndWait(submit);

Test result: I can see "-----run 0" to "-----run 1000" loged.

So in my understanding, doesn't it mean that website based on tapestry5 is
not very secured and can be attacked by any experienced t5 programmer?

Thanks,
DH

Re: T5: Critial security of t:formdata

Posted by Howard Lewis Ship <hl...@gmail.com>.

Yes, you need the keys to the kingdom (the ability to deploy compiled
Java code into the active application's classpath) in order to use the
"exploit". If you can accomplish that, the ability to provide your own
component actions is a footnote compared to what you could accomplish
otherways.

On Sat, Mar 7, 2009 at 11:39 AM, Otho <ta...@googlemail.com> wrote:
> If you revert to the official jar, how is your ComponentAction still there?
>
> And I don't actually understand, what the possible attack vector would be.
>

-- 
Howard M. Lewis Ship

Creator Apache Tapestry and Apache HiveMind

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: T5: Critial security of t:formdata

Posted by Otho <ta...@googlemail.com>.

If you revert to the official jar, how is your ComponentAction still there?

And I don't actually understand, what the possible attack vector would be.