Hi guys,
I have a very critical application in a banking environment and I wanted to
resolve the following questions over Security. This points are questioned
after read some documentation from mailing lists (webappsec, struts, wicket,
etc.) and projects like HDIV[2].
1. ESCAPING CHARACTERS: I have read in wicket's mailing list that all wicket
components escape values. I have done some tests in "wicket-examples"
application distributed in wicket-1.3.1 release and I have modified, in
FormInput.properties file, value of key "string" with this value
"<script>alert("xss");</script>" and I see that this script is executed when
I load the page with this message key. So, i don't know if all components
escape or not values!
2. INTEGRITY: Actualy in my bank application we have hidden fileds in our
forms to store critical values and I want to know if wicket by default
guarantees data integrity or not. I want to guarantee integrity like HDIV
does in Struts and Spring MVC apps... is it possible in wicket?
I have read in wicket's documentation that it is possible to encrypt urls
ensuring integrity (
http://cwiki.apache.org/WICKET/url-coding-strategies.html) but is it
possible to apply this strategy to forms? Or data tampering attacks are
possible in wicket forms with hidden fields?
So, can Wicket ensure data integrity?
3. CONFIDENTIALITY: After read HDIV's reference document I have see that in
our application data base identifiers are presented in html pages as combo
values ids and now we want to hide these values. I thought about
implementing a common renderer for all my wicket components to be
responsible for returning a value relative to the original values, but I do
not like it because it is probably that my programmers don't use it in all
cases and it is a risk that I don't want to run. Is there any wicket
functionality to return confidential data, by default, for form's values? I
do not want to rely on developers...
4. RANDOM TOKENS: I want to avoid CSRF attacks and I have read (
http://www.owasp.org/index.php/Top_10_2007-A5) that a possible solution is
to add random tokens to all requests. Is it possible to add a random
parameter to requests automatically in wicket?
I need your help to answer this questions, pls!
thanks!
[1]
http://www.nabble.com/Shout-more-about-security-advantages-of-Wicket--to14800934.html#a14816425
[2] http://www.hdiv.org/docs/hdiv-reference.pdf
