Arthur Ahiceh wrote:
>>> 4. Yes. See mailing list for earlier answers. There are more hardening
>>> options such as encrypting urls.
>>>
>
> Even encrypting the urls Wicket is vulnerable to CSRF because the key used
> to encrypt is shared by all users of application. Wicket is an extensible
> framework where you to add some new functionallity "easily" but it doesn't
> provide any secure solution by default to protect you against CSRF attacks!
Correct indeed. Also note, I did not use the word 'easily' :)
Regards,
Erik.
--
Erik van Oosten
http://day-to-day-stuff.blogspot.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
