On Thu, Feb 28, 2008 at 9:43 AM, Arthur Ahiceh <[EMAIL PROTECTED]> wrote: > > Wicket urls are already session-relative and somewhat random (depend > > on the path you take through the application), so I am not sure if > > anything more needs to be done... > > > > To prevent CSRF attacks you must to add some random values to all requests > because session-relative values could be hit it, you have to think that > wicket urls allways have the same format > (?wicket:interface=:0:goGerman::ILinkListener::) and it is simple to > construct requests for CSRF attacks.
first you would have to hijack the session... then in order for you to hit ?wicket:interface=:0:goGerman::ILinkListener:: a few things have to be true: a) attacker has to hijack the session b) page id (the 0 part of the url) has to match with the link path in the user's session. this depends on the order user has visited the pages c) user had to actually have visited the page previously even if thats not enough it is trivial to write your own coding strategy that appends the random token and stores its mirror in session.... -igor > > Arthur. > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
