[
https://issues.apache.org/jira/browse/WICKET-1782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12633146#action_12633146
]
Kent Tong commented on WICKET-1782:
-----------------------------------
Is it enough to make sure the pagemap id (representing the window) is random?
This way another window will be unable to forge the request.
> Protection against CSRF (cross-site request forgery) attacks
> ------------------------------------------------------------
>
> Key: WICKET-1782
> URL: https://issues.apache.org/jira/browse/WICKET-1782
> Project: Wicket
> Issue Type: Improvement
> Components: wicket
> Affects Versions: 1.3.4
> Reporter: Gorka Vicente
> Assignee: Igor Vaynberg
> Fix For: 1.3.5, 1.4-M4
>
>
> Currently Wicket doesn't include a uniform and automatic solution against
> CRSF vulnerability or OWASP-A5 vulnerability [1].
> In order to solve CSRF is necessary to avoid static HTML and create dynamic
> or aleatory HTML per user.
> Two posible solutions:
> 1. Include a random token (aleatory parameter) to each url (link or form).
> The name and the value of this parameter can be the same per user or change
> per request (more secure but perform worse). It seems that can be implemented
> creating other implementation of IRequestCodingStrategy interface.
> 2. Encrypt all urls (links and form urls) using "Request Coding Strategy"
> strategy offered currently by wicket (CryptedUrlWebRequestCodingStrategy).
> Provide a security factory to use a different key per user or add some
> aleatory data to encrypted data (for example user jessionid). (SunJceCrypt,
> bundled in Wicket, is vulnerable to CSRF because obtained encrypted string is
> the same for all the users)
> [1] http://www.owasp.org/index.php/Top_10_2007-A5
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
