Checkout the other part of this thread, I think this has become a dead
end...
http://javathoughts.capesugarbird.com/2007/08/protecting-wicket-application-against.html
Sebastiaan van Erk wrote:
Hi,
Nino Saturnino Martinez Vazquez Wael wrote:
As with all thing's you can make them more or less secure. As stated
before, depending on a level of paranoia nothing are secure!
But that's got nothing to do with the question: does Wicket offer
security feature X? Nor does it help answer the follow up question:
should Wicket off security feature X?
If the application is a web one, well use CSRF attacks, use random
attacks, Bruteforce the site, go to their operator and get inside the
database. Eventually you will get in, if you cover your tracks.
I disagree. You don't necessary eventually get in. Brute force is
infeasible (in well designed systems). Going to their operator leaves
tracks and has high risk and high costs. Doing a CSRF attack is easy,
anonymous, and can be done remotely.
Nothing is secure.
Oh darn, well I guess I'll just remove my password protection from my
computer, it's not secure anyway!!!
Having an quickstart as a usecase could help developers decide if its
worth the effort. Whats a reasonable level for security... I guess
the best one is telling the users to use the browser exclusivly for
the bank site and be sure to logout before leaving it.
I don't see how a quickstart will help... Maybe it will help show
*what* a CSRF attack is for those who don't know. :-)
I think the original poster makes a good point. I think a CSRF attack
is relatively high risk, and relatively low cost to fix. All it takes
(I think, don't pin me on this, I have to research it a bit more) is
something like a secure token to be kept in the state of the form
which must be sent back on submit by the user, which is then matched.
The wicket user does not have to know about this at all, it is
transparent. As added benefit it blocks double form posts.
In the case that it is desired that posts can be made without first
having to request the page with the form, one should be able to turn
CSRF protection off.
Considering its 1) ease of implementation, 2) low intrusiveness, 3)
added value, I definately think it's worth considering protecting
Wicket from CSRF by default.
Regards,
Sebastiaan
--
-Wicket for love
-Jme for fun
Nino Martinez Wael
Java Specialist @ Jayway DK
http://www.jayway.dk
+45 2936 7684
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]