[
https://issues.apache.org/jira/browse/WICKET-5326?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14137396#comment-14137396
]
SATISH GUTTA commented on WICKET-5326:
--------------------------------------
Jesse,
Regarding issue #1:
I tried QueryParameterCryptoMapper2.java as you recommended.
First I see home page urls/links are encrypted.
Second I tried to do XSRF test by copying a link in the home page and pasting
it in a different browser
and the link was successfully executed, was expecting Page expired page which
did not happen.
To my understanding the home page links are still XSRF vulnerable.
The same XSRF test was done using links from non home pages by copying and
pasting in a new browser and I was able to see Page expired page.
Regarding issue #2.
I have sent an email to wicket-users mailing list.
> Wicket doesn't encrypt links and Ajax URLs when CryptoMapper is used
> --------------------------------------------------------------------
>
> Key: WICKET-5326
> URL: https://issues.apache.org/jira/browse/WICKET-5326
> Project: Wicket
> Issue Type: Bug
> Affects Versions: 6.10.0
> Environment: Linux
> Reporter: Walter B. Rasmann
> Assignee: Martin Grigorov
> Labels: security
> Attachments: 5326.tar.gz, QueryParameterCryptoMapper.java,
> QueryParameterCryptoMapper2.java, Wicket_6_1_6_QuickStart.zip
>
>
> URL encryption does not work in Wicket links and Ajax URLs.
> For links the URL appears unencrypted in the href attribute value and is only
> later forwarded to the encrypted URL using a 302 response.
> I am uploading a quickstart.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
