i have not yet written a highly secure application in wicket yet, but i've
been waiting for years for the financial sector to discover wicket because i
believe it transparently solves the majority of security problems for that
domain (if not all). most other web frameworks (and possibly all) cannot
hope to achieve the same results due to their design.
Arthur Ahiceh wrote:
>
> Hi guys,
>
> I have a very critical application in a banking environment and I wanted
> to
> resolve the following questions over Security. This points are questioned
> after read some documentation from mailing lists (webappsec, struts,
> wicket,
> etc.) and projects like HDIV[2].
>
> 1. ESCAPING CHARACTERS: I have read in wicket's mailing list that all
> wicket
> components escape values. I have done some tests in "wicket-examples"
> application distributed in wicket-1.3.1 release and I have modified, in
> FormInput.properties file, value of key "string" with this value
> "<script>alert("xss");</script>" and I see that this script is executed
> when
> I load the page with this message key. So, i don't know if all components
> escape or not values!
>
> 2. INTEGRITY: Actualy in my bank application we have hidden fileds in our
> forms to store critical values and I want to know if wicket by default
> guarantees data integrity or not. I want to guarantee integrity like HDIV
> does in Struts and Spring MVC apps... is it possible in wicket?
>
> I have read in wicket's documentation that it is possible to encrypt urls
> ensuring integrity (
> http://cwiki.apache.org/WICKET/url-coding-strategies.html) but is it
> possible to apply this strategy to forms? Or data tampering attacks are
> possible in wicket forms with hidden fields?
>
> So, can Wicket ensure data integrity?
>
> 3. CONFIDENTIALITY: After read HDIV's reference document I have see that
> in
> our application data base identifiers are presented in html pages as combo
> values ids and now we want to hide these values. I thought about
> implementing a common renderer for all my wicket components to be
> responsible for returning a value relative to the original values, but I
> do
> not like it because it is probably that my programmers don't use it in all
> cases and it is a risk that I don't want to run. Is there any wicket
> functionality to return confidential data, by default, for form's values?
> I
> do not want to rely on developers...
>
> 4. RANDOM TOKENS: I want to avoid CSRF attacks and I have read (
> http://www.owasp.org/index.php/Top_10_2007-A5) that a possible solution is
> to add random tokens to all requests. Is it possible to add a random
> parameter to requests automatically in wicket?
>
> I need your help to answer this questions, pls!
>
> thanks!
>
> [1]
> http://www.nabble.com/Shout-more-about-security-advantages-of-Wicket--to14800934.html#a14816425
> [2] http://www.hdiv.org/docs/hdiv-reference.pdf
>
>
--
View this message in context:
http://www.nabble.com/Security-Features-offered-by-Wicket-tp15738864p15834155.html
Sent from the Wicket - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
