First, thank you for your quick reply!
>
> > > 1. ESCAPING CHARACTERS: I have read in wicket's mailing list that all
> > > wicket
> > > components escape values. I have done some tests in "wicket-examples"
> > > application distributed in wicket-1.3.1 release and I have modified,
> in
> > > FormInput.properties file, value of key "string" with this value
> > > "<script>alert("xss");</script>" and I see that this script is
> executed
> > > when
> > > I load the page with this message key. So, i don't know if all
> components
> > > escape or not values!
> >
> >
> > I'm not familiar with that example, but from my experience, Wicket
> > components escape HTML unless specifically told otherwise.
>
>
> I dont think we escape certain values that come from .properties
> files. These files are maintained by programmers and are never written
> to by users, so whats the point of escaping them?
right. I was thinking that wicket:message component could be abble to read
data from Wicket's models. I confused with Struts' tag "bean:message". I
have seen that components like FeedbackPanel escapes messages so XSS attacks
like commented here (http://shh.thathost.com/secadv/spring-form-xss/) are
resolved in Wicket!
> > 2. INTEGRITY: Actualy in my bank application we have hidden fileds in
> our
> > > forms to store critical values and I want to know if wicket by
> default
> > > guarantees data integrity or not. I want to guarantee integrity like
> HDIV
> > > does in Struts and Spring MVC apps... is it possible in wicket?
> >
> > Hidden fields are not required with Wicket applications since the data
> that
> > was formerly stored in hidden fields in other frameworks is maintained
> in
> > Wicket's model classes. I had a hard time understanding this at first
> as
> > well, but the essential element is you don't need hidden fields in
> Wicket
> > applications.
>
>
> right. to put it simpler - what used to be in hidden fields is now
> stored in session
>
>
> > > I have read in wicket's documentation that it is possible to encrypt
> urls
> > > ensuring integrity (
> > > http://cwiki.apache.org/WICKET/url-coding-strategies.html) but is it
> > > possible to apply this strategy to forms? Or data tampering attacks
> are
> > > possible in wicket forms with hidden fields?
> > >
> > > So, can Wicket ensure data integrity?
>
>
> Since hidden values are stored in session instead - yes. Users cannot
> temper with things you do not explicitly expose.
right. Wicket's models will have these hiddens' information so is not
possible to tamper these data values. ok!
> > 4. RANDOM TOKENS: I want to avoid CSRF attacks and I have read (
> > > http://www.owasp.org/index.php/Top_10_2007-A5) that a possible
> solution is
> > > to add random tokens to all requests. Is it possible to add a random
> > > parameter to requests automatically in wicket?
>
>
> Wicket urls are already session-relative and somewhat random (depend
> on the path you take through the application), so I am not sure if
> anything more needs to be done...
>
To prevent CSRF attacks you must to add some random values to all requests
because session-relative values could be hit it, you have to think that
wicket urls allways have the same format
(?wicket:interface=:0:goGerman::ILinkListener::) and it is simple to
construct requests for CSRF attacks.
Arthur.
