[Stripes-dev] [JIRA] Resolved: (STS-918) All parameters encrypted/decrypted with the same secret

Wed, 14 May 2014 12:06:54 -0700 

     [ 
http://www.stripesframework.org/jira/browse/STS-918?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ben Gunter resolved STS-918.
----------------------------

    Resolution: Not a Bug

Encrypted parameters are only intended to assure that a value that is sent to 
the client is returned to the server unmodified. They also serve the purpose of 
obscuring things like identifiers that might allow an attacker to guess other 
identifiers based on a pattern (e.g. a serial column in a database). Thus the 
security provided by encrypted parameters is that they prevent attackers from 
injecting values into requests; they do not prevent reuse of valid values.

> All parameters encrypted/decrypted with the same secret
> -------------------------------------------------------
>
>                 Key: STS-918
>                 URL: http://www.stripesframework.org/jira/browse/STS-918
>             Project: Stripes
>          Issue Type: Bug
>            Reporter: Xiaoyong Wu
>
> Hi,
> I have been looking at the stripes framework and specifically on CryptoUtil 
> class usage. It looks to me that all the parameters as encrypted/decrypted 
> with the same secret, such as "s:password" repopulation, "__fp", 
> "_sourcePage" internal parameters. Depending on implementation details on 
> different sites, this makes the sites vulnerable to replay attack, such as 
> copying encrypted password to "__fp", copying a known redirect resolution 
> page to "_sourcePage" and etc.
> It would be great if the framework can use different secrets derived from the 
> configured one and use with different parameters, fields and other different 
> intentions
> -Xiaoyong

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Stripes-development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/stripes-development

Reply via email to