[Stripes-dev] [JIRA] Commented: (STS-918) All parameters encrypted/decrypted with the same secret

Fri, 16 May 2014 14:24:13 -0700 

    [ 
http://www.stripesframework.org/jira/browse/STS-918?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13077#comment-13077
 ] 

Ben Gunter commented on STS-918:
--------------------------------

I suppose this might be possible if you encrypt a user-supplied value, which is 
one reason why you're not supposed to do that. As I stated, the intent is to 
ensure that a value you that the *server* sends to the *client* gets returned 
unchanged. You should never encrypt a user-supplied field; the user wouldn't be 
able to change the value.

More specifically, the scenario you describe wouldn't work for the attacker. If 
they enter an unencrypted value in a password field that is tied to an 
encrypted ActionBean property, the server will reject it outright, and it won't 
be repopulated.

> All parameters encrypted/decrypted with the same secret
> -------------------------------------------------------
>
>                 Key: STS-918
>                 URL: http://www.stripesframework.org/jira/browse/STS-918
>             Project: Stripes
>          Issue Type: Bug
>            Reporter: Xiaoyong Wu
>
> Hi,
> I have been looking at the stripes framework and specifically on CryptoUtil 
> class usage. It looks to me that all the parameters as encrypted/decrypted 
> with the same secret, such as "s:password" repopulation, "__fp", 
> "_sourcePage" internal parameters. Depending on implementation details on 
> different sites, this makes the sites vulnerable to replay attack, such as 
> copying encrypted password to "__fp", copying a known redirect resolution 
> page to "_sourcePage" and etc.
> It would be great if the framework can use different secrets derived from the 
> configured one and use with different parameters, fields and other different 
> intentions
> -Xiaoyong

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Stripes-development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/stripes-development

Reply via email to