Re: Reg: Wicket CSRF Token
Hi Sundar, Have you had a look at https://julienprog.wordpress.com/2017/10/28/csrf-prevention-for-wicket/ ? Met vriendelijke groet, Kind regards, Bas Gooren Op 16 juni 2021 bij 09:15:48, sundar saba (sundarsabapa...@gmail.com) schreef: Hi all, I am using wicket and spring security in my application. By default spring security enables CSRF protection. It expects a csrf token in my wicket pages. How to define csrf token in all my wicket pages.Can you all please help me define CSRF token in my wicket pages
Reg: Wicket CSRF Token
Hi all, I am using wicket and spring security in my application. By default spring security enables CSRF protection. It expects a csrf token in my wicket pages. How to define csrf token in all my wicket pages.Can you all please help me define CSRF token in my wicket pages
[ANNOUNCE] CVE-2016-6806: Apache Wicket CSRF detection vulnerability
CVE-2016-6806: Apache Wicket CSRF detection vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Wicket 6.20.0, 6.21.0, 6.22.0, 6.23.0, 6.24.0, 7.0.0, 7.1.0, 7.2.0, 7.3.0, 7.4.0 and 8.0.0-M1 Description: Affected versions of Apache Wicket provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed. Mitigation: 6.x users should upgrade to 6.25.0, 7.x users should upgrade to 7.5.0 and 8.0.0-M1 users should upgrade to 8.0.0-M2. Credit: This issue was discovered by Gerben Janssen van Doorn References: https://wicket.apache.org/news - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket CSRF/XSRF protection
Il 30/12/2015 15:25, Martin Grigorov ha scritto: Hi, You can use CookieUtils to write the cookie. Later in each request you could use WebRequest.getHeader(String) or @HeaderParam if this is supported. Hi and happy new year, Thank for the answer. So, in my case, the best way is to manage the cookie "manually"? Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Wed, Dec 30, 2015 at 9:31 AM, andrea wrote: Hi all, Starting from [this][1] question on stackoverflow, I'm going to ask one thing more. I've developed a web application in which Apache Wicket plays as "REST backend", it only exposes HTTP Resources, there is an application and there are no pages, and no html related. All "frontend" is developed in AngularJS. Now, I need protection against CSRF attacks. AngularJS documentation says: To take advantage of this [angular XSRF protection], your server needs to set a token in a JavaScript readable session cookie called XSRF-TOKEN on first HTTP GET request. On subsequent non-GET requests the server can verify that the cookie matches X-XSRF-TOKEN HTTP header, and therefore be sure that only JavaScript running on your domain could have read the token. How can I get this token managed by Apache Wicket? Are there wicket implementations of such mechanism? I found /*CsrfPreventionRequestCycleListener*/ but this doesn't protect all requests, it seems to be configured (by default) only to protect ajax requests on components or links; or /*CryptoMapper*/ with /*KeyInSessionSunJceCryptFactory*/, but this does not seem to do what I'm looking for. I "just" want to send a token, not to crypt urls, but if guarantees the same protection I'll do. I've not found so much on documentation, can you help me? [1]: http://stackoverflow.com/questions/29881338/add-csrf-protection-header-to-wicket-ajax-call#new-answer Best regards, Andrea - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket CSRF/XSRF protection
Hi, I think you might need to roll out your own RequestCycleListener to check for the XSRF-TOKEN. Or alternatively if you are using wicketstuff REST support you could use hook method onBeforeMethodInvoked to check the token before REST API is invoked. See https://github.com/wicketstuff/core/tree/master/wicketstuff-restannotations-parent and javadoc http://wicketstuff.org/core/javadoc7/apidocs/org/wicketstuff/rest/resource/AbstractRestResource.html Andrea. Hi all, Starting from [this][1] question on stackoverflow, I'm going to ask one thing more. I've developed a web application in which Apache Wicket plays as "REST backend", it only exposes HTTP Resources, there is an application and there are no pages, and no html related. All "frontend" is developed in AngularJS. Now, I need protection against CSRF attacks. AngularJS documentation says: To take advantage of this [angular XSRF protection], your server needs to set a token in a JavaScript readable session cookie called XSRF-TOKEN on first HTTP GET request. On subsequent non-GET requests the server can verify that the cookie matches X-XSRF-TOKEN HTTP header, and therefore be sure that only JavaScript running on your domain could have read the token. How can I get this token managed by Apache Wicket? Are there wicket implementations of such mechanism? I found /*CsrfPreventionRequestCycleListener*/ but this doesn't protect all requests, it seems to be configured (by default) only to protect ajax requests on components or links; or /*CryptoMapper*/ with /*KeyInSessionSunJceCryptFactory*/, but this does not seem to do what I'm looking for. I "just" want to send a token, not to crypt urls, but if guarantees the same protection I'll do. I've not found so much on documentation, can you help me? [1]: http://stackoverflow.com/questions/29881338/add-csrf-protection-header-to-wicket-ajax-call#new-answer Best regards, Andrea - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket CSRF/XSRF protection
Hi, You can use CookieUtils to write the cookie. Later in each request you could use WebRequest.getHeader(String) or @HeaderParam if this is supported. Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Wed, Dec 30, 2015 at 9:31 AM, andrea wrote: > Hi all, > > Starting from [this][1] question on stackoverflow, I'm going to ask one > thing more. > > I've developed a web application in which Apache Wicket plays as "REST > backend", it only exposes HTTP Resources, there is an application and there > are no pages, and no html related. > All "frontend" is developed in AngularJS. > > Now, I need protection against CSRF attacks. AngularJS documentation says: > > To take advantage of this [angular XSRF protection], your server needs to > set a token in a > > JavaScript readable session cookie called XSRF-TOKEN on first HTTP GET > > request. On subsequent non-GET requests the server can verify that the > > cookie matches X-XSRF-TOKEN HTTP header, and therefore be sure that > > only JavaScript running on your domain could have read the token. > > > How can I get this token managed by Apache Wicket? > > Are there wicket implementations of such mechanism? > > I found /*CsrfPreventionRequestCycleListener*/ but this doesn't protect > all requests, it seems to be configured (by default) only to protect ajax > requests on components or links; or /*CryptoMapper*/ with > /*KeyInSessionSunJceCryptFactory*/, but this does not seem to do what I'm > looking for. > I "just" want to send a token, not to crypt urls, but if guarantees the > same protection I'll do. > > I've not found so much on documentation, can you help me? > > > [1]: > http://stackoverflow.com/questions/29881338/add-csrf-protection-header-to-wicket-ajax-call#new-answer > > Best regards, > Andrea >
Wicket CSRF/XSRF protection
Hi all, Starting from [this][1] question on stackoverflow, I'm going to ask one thing more. I've developed a web application in which Apache Wicket plays as "REST backend", it only exposes HTTP Resources, there is an application and there are no pages, and no html related. All "frontend" is developed in AngularJS. Now, I need protection against CSRF attacks. AngularJS documentation says: To take advantage of this [angular XSRF protection], your server needs to set a token in a JavaScript readable session cookie called XSRF-TOKEN on first HTTP GET request. On subsequent non-GET requests the server can verify that the cookie matches X-XSRF-TOKEN HTTP header, and therefore be sure that only JavaScript running on your domain could have read the token. How can I get this token managed by Apache Wicket? Are there wicket implementations of such mechanism? I found /*CsrfPreventionRequestCycleListener*/ but this doesn't protect all requests, it seems to be configured (by default) only to protect ajax requests on components or links; or /*CryptoMapper*/ with /*KeyInSessionSunJceCryptFactory*/, but this does not seem to do what I'm looking for. I "just" want to send a token, not to crypt urls, but if guarantees the same protection I'll do. I've not found so much on documentation, can you help me? [1]: http://stackoverflow.com/questions/29881338/add-csrf-protection-header-to-wicket-ajax-call#new-answer Best regards, Andrea
Re: Wicket CSRF
Use the CsrfPreventionRequestCycleListener. It checks the origin header and prevents requests from untrusted origins, which the cryptomapper doesn't do. That just encrypts the URLs, making them hard to guess, but doesn't prevent anyone from calling such an URL from a different origin. Martijn On Fri, Oct 30, 2015 at 4:41 PM, Mihir Chhaya wrote: > Hello, > > I have read Wicket CSRF related posts on wicket forum before posting this > question. > I could not find one with detail I am looking for. If I have missed any, > please redirect me to the link. > > I am looking into CSRF and Wicket 7 default settings. Everything seems fine > with use of CryptoMapper (which by default uses > KeyInSessionSunJceCryptFactory) to handle CSRF attack. > > But I am not sure if Wicket still prevents against CSRF if CryptoMapper is > not used. Does default mapper inherently uses > KeyInSessionSunJceCryptFactory? The documentation says > KeyInSessionSunJceCryptFactory is default only for ICrypt implementation > objects. If not, then should one use CsrfPreventionRequestCycleListener? > > If default anti-CSRF is already set like CryptoMapper, which Wicket source > class I can look into for > better understanding? > > Thanks in advance, > -Mihir. -- Become a Wicket expert, learn from the best: http://wicketinaction.com - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Wicket CSRF
Hello, I have read Wicket CSRF related posts on wicket forum before posting this question. I could not find one with detail I am looking for. If I have missed any, please redirect me to the link. I am looking into CSRF and Wicket 7 default settings. Everything seems fine with use of CryptoMapper (which by default uses KeyInSessionSunJceCryptFactory) to handle CSRF attack. But I am not sure if Wicket still prevents against CSRF if CryptoMapper is not used. Does default mapper inherently uses KeyInSessionSunJceCryptFactory? The documentation says KeyInSessionSunJceCryptFactory is default only for ICrypt implementation objects. If not, then should one use CsrfPreventionRequestCycleListener? If default anti-CSRF is already set like CryptoMapper, which Wicket source class I can look into for better understanding? Thanks in advance, -Mihir.
Web app vulnerability protection in wicket (csrf)
Does wicket have support for top vulnerabilities? Mainly I am trying to protect against cross site scripting and cross site request forgery attacks. I haven't found anything yet explicitly for those attacks but for CSRF, I was going to try to use the encrypted URL strategy. (And I am assuming the default URL versioning strategy or the random parameter on the url is not a full protection against those attacks?). Also, for csrf, is there an easy way to inject tokens for each request, if those tokens are valid, then we could generate an error. Note: I am assuming an ancient version of wicket.1.4.x(1.4.15).