yeah, urls keyed to user's session... -igor
On Tue, Mar 4, 2008 at 10:48 AM, Jonathan Locke <[EMAIL PROTECTED]> wrote: > > > btw, if you really want to be extremely secure and don't mind some number > crunching overhead, you might try using cryptographically secure urls. it's > as easy as installing a new url coding strategy in wicket. > > > > > Arthur Ahiceh wrote: > > > > Hi guys, > > > > I have a very critical application in a banking environment and I wanted > > to > > resolve the following questions over Security. This points are questioned > > after read some documentation from mailing lists (webappsec, struts, > > wicket, > > etc.) and projects like HDIV[2]. > > > > 1. ESCAPING CHARACTERS: I have read in wicket's mailing list that all > > wicket > > components escape values. I have done some tests in "wicket-examples" > > application distributed in wicket-1.3.1 release and I have modified, in > > FormInput.properties file, value of key "string" with this value > > "<script>alert("xss");</script>" and I see that this script is executed > > when > > I load the page with this message key. So, i don't know if all components > > escape or not values! > > > > 2. INTEGRITY: Actualy in my bank application we have hidden fileds in our > > forms to store critical values and I want to know if wicket by default > > guarantees data integrity or not. I want to guarantee integrity like HDIV > > does in Struts and Spring MVC apps... is it possible in wicket? > > > > I have read in wicket's documentation that it is possible to encrypt urls > > ensuring integrity ( > > http://cwiki.apache.org/WICKET/url-coding-strategies.html) but is it > > possible to apply this strategy to forms? Or data tampering attacks are > > possible in wicket forms with hidden fields? > > > > So, can Wicket ensure data integrity? > > > > 3. CONFIDENTIALITY: After read HDIV's reference document I have see that > > in > > our application data base identifiers are presented in html pages as combo > > values ids and now we want to hide these values. I thought about > > implementing a common renderer for all my wicket components to be > > responsible for returning a value relative to the original values, but I > > do > > not like it because it is probably that my programmers don't use it in all > > cases and it is a risk that I don't want to run. Is there any wicket > > functionality to return confidential data, by default, for form's values? > > I > > do not want to rely on developers... > > > > 4. RANDOM TOKENS: I want to avoid CSRF attacks and I have read ( > > http://www.owasp.org/index.php/Top_10_2007-A5) that a possible solution is > > to add random tokens to all requests. Is it possible to add a random > > parameter to requests automatically in wicket? > > > > I need your help to answer this questions, pls! > > > > thanks! > > > > [1] > > > http://www.nabble.com/Shout-more-about-security-advantages-of-Wicket--to14800934.html#a14816425 > > [2] http://www.hdiv.org/docs/hdiv-reference.pdf > > > > > > -- > View this message in context: > http://www.nabble.com/Security-Features-offered-by-Wicket-tp15738864p15834345.html > > > Sent from the Wicket - User mailing list archive at Nabble.com. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]