[
https://issues.apache.org/jira/browse/WICKET-1782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12625459#action_12625459
]
Igor Vaynberg commented on WICKET-1782:
---------------------------------------
in the near future is all i can say. if you would like it to be released
earlier start a thread on the mailing list
> Protection against CSRF (cross-site request forgery) attacks
> ------------------------------------------------------------
>
> Key: WICKET-1782
> URL: https://issues.apache.org/jira/browse/WICKET-1782
> Project: Wicket
> Issue Type: Improvement
> Components: wicket
> Affects Versions: 1.3.4
> Reporter: Gorka Vicente
> Assignee: Igor Vaynberg
> Fix For: 1.3.5, 1.4-M4
>
>
> Currently Wicket doesn't include a uniform and automatic solution against
> CRSF vulnerability or OWASP-A5 vulnerability [1].
> In order to solve CSRF is necessary to avoid static HTML and create dynamic
> or aleatory HTML per user.
> Two posible solutions:
> 1. Include a random token (aleatory parameter) to each url (link or form).
> The name and the value of this parameter can be the same per user or change
> per request (more secure but perform worse). It seems that can be implemented
> creating other implementation of IRequestCodingStrategy interface.
> 2. Encrypt all urls (links and form urls) using "Request Coding Strategy"
> strategy offered currently by wicket (CryptedUrlWebRequestCodingStrategy).
> Provide a security factory to use a different key per user or add some
> aleatory data to encrypted data (for example user jessionid). (SunJceCrypt,
> bundled in Wicket, is vulnerable to CSRF because obtained encrypted string is
> the same for all the users)
> [1] http://www.owasp.org/index.php/Top_10_2007-A5
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
