Markus, that all sounds very good. I'll have a look at it once I'm back from vacation on Tuesday.
I'm curious to see what the others say. Uli Am Sa, 7.05.2011, 22:53 schrieb Markus Jung: > Hi, > > I have created a quite simple app that I will use to demonstrate CSRF > attacks. Throughout the development I will show how to protect this app > with > the CSRF protection I'm going to implement. > > The app is called LittleChirp and is a mockup of a basic social network > site > which allows to set a small status message for a user. > > There are 3 functionalities implemented: > > -) User Login > -) Status Message Update and display of previous posts > -) User Logout > > There a two pages Index and Status and one component Layout. > > The Index page contains the login logic. The authentication is done by > using > a custom AuthenticationState class placed in a util package. > > The Status page contains the logic to add status messages. The message are > put in an ArrayList stored in the session. No persistence is used, since > it > would make the app more complex without any benifit for CSRF security > demonstration. A post form is used to send new status messages to the > page. > > The logout functionality is realized with a actionlink that issues a GET > request. This is considered to be bad design. But I think it should also > be > possible to protect such actions. The logout functionality is part of the > Layout component. > > The attack site is a simple HTML site that contains crafted requests to > the > locally started Tapestry app. There are two attacks, one for the status > update form and one for the logout link. > > I think this will be a good show case for CSRF protection. If somebody is > missing something please let me know. > > How to run it: > > Project name: victimapp > Project hosted: http://code.google.com/p/gsoc2011-csrf-protection/ > SVN-Repo: http://gsoc2011-csrf-protection.googlecode.com/svn/trunk/ > Run: mvn jetty:run > Browse: http://localhost:8080/victimapp > > Attacksite: just open the single html file provided. There are two actions > that can be executed there. > > I will document this showcase at http://viennamarkus.blogspot.com/. I will > also post infos about further progress there. > > Maybe it is also a good idea to put this at somepoint at the official > tapestry documentation site. > > KR > Markus > > > > > > -- > View this message in context: > http://tapestry.1045711.n5.nabble.com/CSRF-protection-tp4379034p4379034.html > Sent from the Tapestry - Dev mailing list archive at Nabble.com. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
