[
https://jira.codehaus.org/browse/CONTINUUM-838?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Brett Porter closed CONTINUUM-838.
----------------------------------
Resolution: Duplicate
Assignee: Brett Porter
> Cross Site Request Forgery protection
> -------------------------------------
>
> Key: CONTINUUM-838
> URL: https://jira.codehaus.org/browse/CONTINUUM-838
> Project: Continuum
> Issue Type: Improvement
> Components: Web interface
> Affects Versions: 1.0, 1.0.1, 1.0.2, 1.0.3, 1.1-alpha-1
> Reporter: Christian Gruber
> Assignee: Brett Porter
> Priority: Critical
> Labels: backlog-to-cleanup
>
> XSRF vulnerabilities are very hard to fix. More details on them at
> http://en.wikipedia.org/wiki/Cross-site_request_forgery with a key document
> found at http://isecpartners.com/documents/XSRF_Paper.pdf which outlines a
> solution.
> In short, an XSRFProtectionToken is passed in each form in a hidden variable,
> with the XSRFProtectionToken consisting of (pseudocode):
> hash(sessionid + actionName + sitewide_secret);
> The hash can be MD5 or SHA-1 or whatever. The important thing is that even
> if a user is logged on with a valid sessionId, the attacker cannot know in
> advance what the token will be without getting it out of an insecure browser
> (in which case, you have other problems). Even if the attacker gets access
> to a token for one action that's less security-risky (like invoking a build),
> they cannot then replay that token against something more risky (such as
> creating a new admin user).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
