btw, if you really want to be extremely secure and don't mind some number
crunching overhead, you might try using cryptographically secure urls. it's
as easy as installing a new url coding strategy in wicket.
Arthur Ahiceh wrote:
>
> Hi guys,
>
> I have a very critical application in a banking environment and I wanted
> to
> resolve the following questions over Security. This points are questioned
> after read some documentation from mailing lists (webappsec, struts,
> wicket,
> etc.) and projects like HDIV[2].
>
> 1. ESCAPING CHARACTERS: I have read in wicket's mailing list that all
> wicket
> components escape values. I have done some tests in "wicket-examples"
> application distributed in wicket-1.3.1 release and I have modified, in
> FormInput.properties file, value of key "string" with this value
> "<script>alert("xss");</script>" and I see that this script is executed
> when
> I load the page with this message key. So, i don't know if all components
> escape or not values!
>
> 2. INTEGRITY: Actualy in my bank application we have hidden fileds in our
> forms to store critical values and I want to know if wicket by default
> guarantees data integrity or not. I want to guarantee integrity like HDIV
> does in Struts and Spring MVC apps... is it possible in wicket?
>
> I have read in wicket's documentation that it is possible to encrypt urls
> ensuring integrity (
> http://cwiki.apache.org/WICKET/url-coding-strategies.html) but is it
> possible to apply this strategy to forms? Or data tampering attacks are
> possible in wicket forms with hidden fields?
>
> So, can Wicket ensure data integrity?
>
> 3. CONFIDENTIALITY: After read HDIV's reference document I have see that
> in
> our application data base identifiers are presented in html pages as combo
> values ids and now we want to hide these values. I thought about
> implementing a common renderer for all my wicket components to be
> responsible for returning a value relative to the original values, but I
> do
> not like it because it is probably that my programmers don't use it in all
> cases and it is a risk that I don't want to run. Is there any wicket
> functionality to return confidential data, by default, for form's values?
> I
> do not want to rely on developers...
>
> 4. RANDOM TOKENS: I want to avoid CSRF attacks and I have read (
> http://www.owasp.org/index.php/Top_10_2007-A5) that a possible solution is
> to add random tokens to all requests. Is it possible to add a random
> parameter to requests automatically in wicket?
>
> I need your help to answer this questions, pls!
>
> thanks!
>
> [1]
> http://www.nabble.com/Shout-more-about-security-advantages-of-Wicket--to14800934.html#a14816425
> [2] http://www.hdiv.org/docs/hdiv-reference.pdf
>
>
--
View this message in context:
http://www.nabble.com/Security-Features-offered-by-Wicket-tp15738864p15834345.html
Sent from the Wicket - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
