On Mon, 2008-01-14 at 13:23 -0800, Jonathan Locke wrote:
> Sam Hough wrote:
> >
> > It has only just struck me how much more secure Wicket is out of the box
> > than struts, spring, GWT etc. The features list doesn't really seem to
> > drive this point home...
> >
> > Maybe add really clear example like: "Equivalent to not having pointer
> > arithmetic in Java. e.g. HTTP requests specify which option from a select
> > box to use rather than allowing arbitrary values to be sent"
> >
> > Cheers
> >
> > Sam
> >
> YES!
>
>
Which brings up some curious thoughts... (I hope this isn't considered thread
hijacking...)
I'm usually pretty paranoid with the applications I build from the ground
up, but what can be done with existing apps already in production..
Especially, when you come into the realm of trying to be PCI compliant..
(WAFs web application firewall) Are to some extent a convenient work-around.
modsecurity can be deployed as a Apache module accomplishing some of this.
msj[1] also seems to include a subset of those features at the servlet level.
and just tonight reading more about hdiv [2] which I'll try to summarize as
short as possible from quoting from their homepage
"INTEGRITY: HDIV guarantees integrity (no data modification) of all the
data generated by the server which should not be modified by the client (links,
hidden fields, combo values, radio buttons, destiny pages, etc.)."
"EDITABLE DATA VALIDATION: HDIV eliminates to a large extent the risk
originated by attacks of type Cross-site scripting (XSS) and SQL Injection
using generic validations of the editable data (text and textarea)"
"CONFIDENTIALITY: HDIV guarantees the confidentiality of the non
editable data as well. Usually lots of the data sent to the client has key
information for the attackers such as database registry identifiers, column or
table names, web directories, etc"
Now how this all relates to Wicket is interesting in that Wicket provides
quite a bit oob (out of box). So while many .Net and alike fanboys are
always talking about 'it just works'. I'm happy to report that most of
these issues have been transparently taken care of for you.
For example I know Matej has considered the impact of the difference in
security between storing the state in the client (Cipher strategy) vs
the server (Memory strategy). Also integrity and some default editable
data validation have been taken care of as well. If nothing else Wicket
usually makes it near trivial to validate input and provide feedback to
the user.
Just some random thoughts which I hope to expand on more in the future.
I'm curious if anyone has tried to get Wicket to play nicely with hdiv
or what servlet security filtering/alerting options are available.
Cheers,
./C
[1] http://www.modsecurity.org/projects/modsecurity/java/
[2] http://www.hdiv.org
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
