I could be wrong, but it looked to me as if they were saying that if you used hidden fields, then there was a potential insecurity as they could be changed by the user. I guess you trap that by automatically generating an additional hidden field containing a hash of the other hidden fields along with a randomly initialised salt value, then check they when they get received...
/Gwyn On Thu, Jul 31, 2008 at 7:09 PM, Korbinian Bachl - privat <[EMAIL PROTECTED]> wrote: > Hi, > > > its *not* my opinion - I just read the article and thought you might want to > know about it. I mean, beside that, it seems as wicket is very secure in > comparision to the other frameworks mentioned there - Honestly, I dont know > why this harsh reactions (other mails) came. > > Best, > > Korbinian > > Martijn Dashorst schrieb: >> >> How is HiddenField insecure in your opinion? >> >> Martijn >> >> On Wed, Jul 30, 2008 at 10:59 PM, Korbinian Bachl - privat >> <[EMAIL PROTECTED]> wrote: >>> >>> HI, >>> >>> under >>> >>> http://www.theserverside.com/tt/articles/article.tss?l=AreJavaWebApplicationsSecure >>> is an article covering java WebApps & security; On part 2 it also looks >>> at >>> webframeworks for java including wicket 1.3.x - it mentions >>> >>> "Wicket has only one component (HiddenField) vulnerable to integrity >>> attacks." >>> >>> maybe this gap could be closed? Also the rest seems aso quite >>> interesting. >>> >>> Best, >>> >>> Korbinian >>> >>> >> >> >> >
