Re: security article on TSS (partly covering wicket)
I could be wrong, but it looked to me as if they were saying that if you used hidden fields, then there was a potential insecurity as they could be changed by the user. I guess you trap that by automatically generating an additional hidden field containing a hash of the other hidden fields along with a randomly initialised salt value, then check they when they get received... /Gwyn On Thu, Jul 31, 2008 at 7:09 PM, Korbinian Bachl - privat <[EMAIL PROTECTED]> wrote: > Hi, > > > its *not* my opinion - I just read the article and thought you might want to > know about it. I mean, beside that, it seems as wicket is very secure in > comparision to the other frameworks mentioned there - Honestly, I dont know > why this harsh reactions (other mails) came. > > Best, > > Korbinian > > Martijn Dashorst schrieb: >> >> How is HiddenField insecure in your opinion? >> >> Martijn >> >> On Wed, Jul 30, 2008 at 10:59 PM, Korbinian Bachl - privat >> <[EMAIL PROTECTED]> wrote: >>> >>> HI, >>> >>> under >>> >>> http://www.theserverside.com/tt/articles/article.tss?l=AreJavaWebApplicationsSecure >>> is an article covering java WebApps & security; On part 2 it also looks >>> at >>> webframeworks for java including wicket 1.3.x - it mentions >>> >>> "Wicket has only one component (HiddenField) vulnerable to integrity >>> attacks." >>> >>> maybe this gap could be closed? Also the rest seems aso quite >>> interesting. >>> >>> Best, >>> >>> Korbinian >>> >>> >> >> >> >
Re: security article on TSS (partly covering wicket)
Hi Eelco, > towards you, but if they were, I guess that's the danger of being the > messenger ;-) yeah the messenger... damn job :P I mean, I also dont think the rection on theserverside was a good choice. Honestly, even the writers didnt know wicket well enough to things like crypted URLs they still picked it as nearly the most secure one... *that* was quite impressive to me! (sounds to me: "well, I dont know about its special security features but even the basics seems more secure than the rest") Best, Korbinian Eelco Hillenius schrieb: its *not* my opinion - I just read the article and thought you might want to know about it. I mean, beside that, it seems as wicket is very secure in comparision to the other frameworks mentioned there - Honestly, I dont know why this harsh reactions (other mails) came. Thanks for sharing. I didn't get the impression that people were harsh towards you, but if they were, I guess that's the danger of being the messenger ;-) Eelco
Re: security article on TSS (partly covering wicket)
> its *not* my opinion - I just read the article and thought you might want to > know about it. I mean, beside that, it seems as wicket is very secure in > comparision to the other frameworks mentioned there - Honestly, I dont know > why this harsh reactions (other mails) came. Thanks for sharing. I didn't get the impression that people were harsh towards you, but if they were, I guess that's the danger of being the messenger ;-) Eelco
Re: security article on TSS (partly covering wicket)
Hi, its *not* my opinion - I just read the article and thought you might want to know about it. I mean, beside that, it seems as wicket is very secure in comparision to the other frameworks mentioned there - Honestly, I dont know why this harsh reactions (other mails) came. Best, Korbinian Martijn Dashorst schrieb: How is HiddenField insecure in your opinion? Martijn On Wed, Jul 30, 2008 at 10:59 PM, Korbinian Bachl - privat <[EMAIL PROTECTED]> wrote: HI, under http://www.theserverside.com/tt/articles/article.tss?l=AreJavaWebApplicationsSecure is an article covering java WebApps & security; On part 2 it also looks at webframeworks for java including wicket 1.3.x - it mentions "Wicket has only one component (HiddenField) vulnerable to integrity attacks." maybe this gap could be closed? Also the rest seems aso quite interesting. Best, Korbinian
Re: security article on TSS (partly covering wicket)
hi, the only thing i can think of which could be automatically done by the framework has been written up here: http://javathoughts.capesugarbird.com/2007/08/protecting-wicket-application-against.html best regards, --- jan.
Re: security article on TSS (partly covering wicket)
there was already a thread about this: http://www.nabble.com/Security-Features-offered-by-Wicket-td15738864.html#a15738864 also in any framework if you remove hidden fields you HAVE TO HAVE a session, this is coming from the same people who say wicket is too heavy weight because it uses session? once you store that stuff in session you also have the versioning problem due to backbutton, so you have to build a wicket like versioning to deal with session values... so in the end you rebuild wicket :) -igor On Wed, Jul 30, 2008 at 1:59 PM, Korbinian Bachl - privat <[EMAIL PROTECTED]> wrote: > HI, > > under > http://www.theserverside.com/tt/articles/article.tss?l=AreJavaWebApplicationsSecure > is an article covering java WebApps & security; On part 2 it also looks at > webframeworks for java including wicket 1.3.x - it mentions > > "Wicket has only one component (HiddenField) vulnerable to integrity > attacks." > > maybe this gap could be closed? Also the rest seems aso quite interesting. > > Best, > > Korbinian > >
Re: security article on TSS (partly covering wicket)
On Wed, Jul 30, 2008 at 3:48 PM, Eelco Hillenius <[EMAIL PROTECTED]> wrote: > Yeah, that's a quite annoying way from them to sell their product. > More than half of it isn't even really related to web frameworks, but > to how people use them. Injection flaws for instance... duh. I actually think that Wicket has facilities to avoid all of the potential issues listed there. Reply of you think any of them is actually something Wicket should do better on. Of course, users are also responsible for thinking about the consequences of their choices. Wicket is a framework to help you be more productive, not a magic wand. Eelco
Re: security article on TSS (partly covering wicket)
Yeah, that's a quite annoying way from them to sell their product. More than half of it isn't even really related to web frameworks, but to how people use them. Injection flaws for instance... duh. Eelco On Wed, Jul 30, 2008 at 2:53 PM, Matej Knopp <[EMAIL PROTECTED]> wrote: > That article is ridiculous. I really want to see what kind of hidden > field vulnerability wicket has. We don't put anything to hidden field > we wouldn't put in the URL. > > -Matej > > On Wed, Jul 30, 2008 at 11:49 PM, Martijn Dashorst > <[EMAIL PROTECTED]> wrote: >> How is HiddenField insecure in your opinion? >> >> Martijn >> >> On Wed, Jul 30, 2008 at 10:59 PM, Korbinian Bachl - privat >> <[EMAIL PROTECTED]> wrote: >>> HI, >>> >>> under >>> http://www.theserverside.com/tt/articles/article.tss?l=AreJavaWebApplicationsSecure >>> is an article covering java WebApps & security; On part 2 it also looks at >>> webframeworks for java including wicket 1.3.x - it mentions >>> >>> "Wicket has only one component (HiddenField) vulnerable to integrity >>> attacks." >>> >>> maybe this gap could be closed? Also the rest seems aso quite interesting. >>> >>> Best, >>> >>> Korbinian >>> >>> >> >> >> >> -- >> Become a Wicket expert, learn from the best: http://wicketinaction.com >> Apache Wicket 1.3.4 is released >> Get it now: http://www.apache.org/dyn/closer.cgi/wicket/1.3. >> >
Re: security article on TSS (partly covering wicket)
That article is ridiculous. I really want to see what kind of hidden field vulnerability wicket has. We don't put anything to hidden field we wouldn't put in the URL. -Matej On Wed, Jul 30, 2008 at 11:49 PM, Martijn Dashorst <[EMAIL PROTECTED]> wrote: > How is HiddenField insecure in your opinion? > > Martijn > > On Wed, Jul 30, 2008 at 10:59 PM, Korbinian Bachl - privat > <[EMAIL PROTECTED]> wrote: >> HI, >> >> under >> http://www.theserverside.com/tt/articles/article.tss?l=AreJavaWebApplicationsSecure >> is an article covering java WebApps & security; On part 2 it also looks at >> webframeworks for java including wicket 1.3.x - it mentions >> >> "Wicket has only one component (HiddenField) vulnerable to integrity >> attacks." >> >> maybe this gap could be closed? Also the rest seems aso quite interesting. >> >> Best, >> >> Korbinian >> >> > > > > -- > Become a Wicket expert, learn from the best: http://wicketinaction.com > Apache Wicket 1.3.4 is released > Get it now: http://www.apache.org/dyn/closer.cgi/wicket/1.3. >
Re: security article on TSS (partly covering wicket)
How is HiddenField insecure in your opinion? Martijn On Wed, Jul 30, 2008 at 10:59 PM, Korbinian Bachl - privat <[EMAIL PROTECTED]> wrote: > HI, > > under > http://www.theserverside.com/tt/articles/article.tss?l=AreJavaWebApplicationsSecure > is an article covering java WebApps & security; On part 2 it also looks at > webframeworks for java including wicket 1.3.x - it mentions > > "Wicket has only one component (HiddenField) vulnerable to integrity > attacks." > > maybe this gap could be closed? Also the rest seems aso quite interesting. > > Best, > > Korbinian > > -- Become a Wicket expert, learn from the best: http://wicketinaction.com Apache Wicket 1.3.4 is released Get it now: http://www.apache.org/dyn/closer.cgi/wicket/1.3.
security article on TSS (partly covering wicket)
HI, under http://www.theserverside.com/tt/articles/article.tss?l=AreJavaWebApplicationsSecure is an article covering java WebApps & security; On part 2 it also looks at webframeworks for java including wicket 1.3.x - it mentions "Wicket has only one component (HiddenField) vulnerable to integrity attacks." maybe this gap could be closed? Also the rest seems aso quite interesting. Best, Korbinian
