[ https://issues.apache.org/jira/browse/WICKET-1782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12620937#action_12620937 ]
Johan Compagner commented on WICKET-1782: ----------------------------------------- do we have a jsessionid always? stateless pages? What to do if for example there is not session yet? Then the default key is just used? > Protection against CSRF (cross-site request forgery) attacks > ------------------------------------------------------------ > > Key: WICKET-1782 > URL: https://issues.apache.org/jira/browse/WICKET-1782 > Project: Wicket > Issue Type: Improvement > Components: wicket > Affects Versions: 1.3.4 > Reporter: Gorka Vicente > > Currently Wicket doesn't include a uniform and automatic solution against > CRSF vulnerability or OWASP-A5 vulnerability [1]. > In order to solve CSRF is necessary to avoid static HTML and create dynamic > or aleatory HTML per user. > Two posible solutions: > 1. Include a random token (aleatory parameter) to each url (link or form). > The name and the value of this parameter can be the same per user or change > per request (more secure but perform worse). It seems that can be implemented > creating other implementation of IRequestCodingStrategy interface. > 2. Encrypt all urls (links and form urls) using "Request Coding Strategy" > strategy offered currently by wicket (CryptedUrlWebRequestCodingStrategy). > Provide a security factory to use a different key per user or add some > aleatory data to encrypted data (for example user jessionid). (SunJceCrypt, > bundled in Wicket, is vulnerable to CSRF because obtained encrypted string is > the same for all the users) > [1] http://www.owasp.org/index.php/Top_10_2007-A5 -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.