Hi devs, Should XWiki protect itself against CSRF? See http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29 and http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet for details.
In short: an attacker could use something like: <img src="http://xwikiserver/bin/save/Some/Document?content=Hacked"/> to alter the wiki using another user's account. Protection usually involves embedding tokens in submitted forms and URLs. The good news is that it can be done transparently using a LGPL tool from OWASP. The bad news is that it does not protect against attacks from the same wiki, but only for Cross-Site attacks. And it also breaks direct manipulation using URLs (as an expert user, I do enter URLs directly instead of clicking through the interface, and I won't like it if I couldn't do it anymore). So, WDYT? -- Sergiu Dumitriu http://purl.org/net/sergiu/ _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
