All parameters encrypted/decrypted with the same secret
-------------------------------------------------------
Key: STS-918
URL: http://www.stripesframework.org/jira/browse/STS-918
Project: Stripes
Issue Type: Bug
Reporter: Xiaoyong Wu
Hi,
I have been looking at the stripes framework and specifically on CryptoUtil
class usage. It looks to me that all the parameters as encrypted/decrypted with
the same secret, such as "s:password" repopulation, "__fp", "_sourcePage"
internal parameters. Depending on implementation details on different sites,
this makes the sites vulnerable to replay attack, such as copying encrypted
password to "__fp", copying a known redirect resolution page to "_sourcePage"
and etc.
It would be great if the framework can use different secrets derived from the
configured one and use with different parameters, fields and other different
intentions
-Xiaoyong
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Stripes-development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/stripes-development
