Hi, I have created a quite simple app that I will use to demonstrate CSRF attacks. Throughout the development I will show how to protect this app with the CSRF protection I'm going to implement.
The app is called LittleChirp and is a mockup of a basic social network site which allows to set a small status message for a user. There are 3 functionalities implemented: -) User Login -) Status Message Update and display of previous posts -) User Logout There a two pages Index and Status and one component Layout. The Index page contains the login logic. The authentication is done by using a custom AuthenticationState class placed in a util package. The Status page contains the logic to add status messages. The message are put in an ArrayList stored in the session. No persistence is used, since it would make the app more complex without any benifit for CSRF security demonstration. A post form is used to send new status messages to the page. The logout functionality is realized with a actionlink that issues a GET request. This is considered to be bad design. But I think it should also be possible to protect such actions. The logout functionality is part of the Layout component. The attack site is a simple HTML site that contains crafted requests to the locally started Tapestry app. There are two attacks, one for the status update form and one for the logout link. I think this will be a good show case for CSRF protection. If somebody is missing something please let me know. How to run it: Project name: victimapp Project hosted: http://code.google.com/p/gsoc2011-csrf-protection/ SVN-Repo: http://gsoc2011-csrf-protection.googlecode.com/svn/trunk/ Run: mvn jetty:run Browse: http://localhost:8080/victimapp Attacksite: just open the single html file provided. There are two actions that can be executed there. I will document this showcase at http://viennamarkus.blogspot.com/. I will also post infos about further progress there. Maybe it is also a good idea to put this at somepoint at the official tapestry documentation site. KR Markus -- View this message in context: http://tapestry.1045711.n5.nabble.com/CSRF-protection-tp4379034p4379034.html Sent from the Tapestry - Dev mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
