Hi Dov / Daniele Thanks for this. I was not actually talking about "cross site scripting" but "cross-site request forgery" according to the link http://en.wikipedia.org/wiki/Cross-site_request_forgery
I think, as Daniele suggests, that the way that component urls are constructed means they are not vulnerable whereas direct action urls are. As our site uses authenticated sessions and component actions then we should be ok, but i would like confirmation. Regards Giles > HTTPS will not stop cross site scripting attacks. The only way to stop cross > site scripting and request forging attacks is to validate all URL parameters > against a white list and validate all posts coming from your application were > from your application and not a BURP suite type of hack tool. OWASP > (http://www.owasp.org) has a lot of really good information and tools that > you can integrate into a WO app to greatly reduce security issues (notice I > said reduce not eliminate) > > Dov Rosenberg > > > On Jan 26, 2012, at 8:16 AM, Daniele Corti wrote: > >> Hi Giles, >> Well, IMHO, only direct actions can be vulnerable to Cross-Site Attack. >> >> To prevent this you can avoid to handle Session ID in Cookies and force urls >> to contains the Session ID in each request (BTW, this is the default WO >> behaviour). Second, you can check in Direct Actions that the http-referer >> domain is the same of your app (request().headerForKey("referer")). >> >> For me, the best way to avoid Cross-Site Attack would be using session-less >> Direct Actions, with POST auth credential in each request. Under HTTPS of >> course... >> >> Hope this help! >> >> Bye >> -- >> Daniele Corti >> -- >> I DON'T DoubleClick >> >> >> 2012/1/26 Giles Palmer <li...@cedarstone.co.uk> >> Hi All >> >> We have an application that lives behind a login and all requests are >> session based component requests. We have been asked by a user about our >> vulnerability to Cross-site request forgery. >> >> http://en.wikipedia.org/wiki/Cross-site_request_forgery >> and >> https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29 >> >> What do you guys do to protect against this? Are component urls and an >> authenticated session enough to prevent this? >> >> Advice much appreciated. >> >> >> Regards >> >> >> Giles >> _______________________________________________ >> Do not post admin requests to the list. They will be ignored. >> Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) >> Help/Unsubscribe/Update your Subscription: >> https://lists.apple.com/mailman/options/webobjects-dev/ildenae%40gmail.com >> >> This email sent to ilde...@gmail.com >> >> >> >> _______________________________________________ >> Do not post admin requests to the list. They will be ignored. >> Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) >> Help/Unsubscribe/Update your Subscription: >> https://lists.apple.com/mailman/options/webobjects-dev/drosenberg%40inquira.com >> >> This email sent to drosenb...@inquira.com > _______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
