Re: T5: How to protect against 'Cross-site request forgery'?

Mon, 28 Jul 2008 12:19:50 -0700

A good way would be to alter the Form object to contain (via a hidden variable) a field that's generated per the whitepaper linked from that wikipedia article. The form would then consume the post, and if that field is not in the expected state, generate an error state, which could then be redirected to a security page or some such. We solved it this way, though without changing the T5 form object - we used a custom form object.
A friend of mine wrote the linked whitepaper, so if someone's trying to put the fix into the Tapestry framework infrastructure, then let me know and I'll connect you by e-mail. It's a good read anyway, as it's a bit of a subtle problem. 

Christian.

On 28-Jul-08, at 14:50 , Martijn Brinkers (List) wrote:


Cross-site request forgeries (CSRF) is a web application vulnerability
that is often neglected by web developers. If your application is
vulnerable to CSRF and an attacker can entice you to request some URL
(this can be done for example with an image with the src set to some
Tapestry action) the attacker can execute random Tapestry actions and

post forms (like adding a adminitrator etc.) without the users  
consent.

For more info on CSRF see for example:
http://en.wikipedia.org/wiki/Cross-site_request_forgery.

One way to protect against CSRF is to add a non-guessable code  
(saved in
the user session) to the URLs that need to be protected against CSRF  
or

add a hidden field to a Form with this unique code. When Tapestry
recieved a request (for a page or action) and that page/action need
protection a check is done to see if the code from the URL matches the
code stored in the user session. If not you know that the request did
not generated by tapestry.


My question is what is the best way to implement this? Should I add  
the

code as a context parameter and for forms as a hidden field? And use a
dispatcher to check whether the page should have been protected?

Thanks,

Martijn Brinkers


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to