yeah, urls keyed to user's session...
-igor
On Tue, Mar 4, 2008 at 10:48 AM, Jonathan Locke
<[EMAIL PROTECTED]> wrote:
>
>
> btw, if you really want to be extremely secure and don't mind some number
> crunching overhead, you might try using cryptographically secure urls. it's
> as easy as installing a new url coding strategy in wicket.
>
>
>
>
> Arthur Ahiceh wrote:
> >
> > Hi guys,
> >
> > I have a very critical application in a banking environment and I wanted
> > to
> > resolve the following questions over Security. This points are questioned
> > after read some documentation from mailing lists (webappsec, struts,
> > wicket,
> > etc.) and projects like HDIV[2].
> >
> > 1. ESCAPING CHARACTERS: I have read in wicket's mailing list that all
> > wicket
> > components escape values. I have done some tests in "wicket-examples"
> > application distributed in wicket-1.3.1 release and I have modified, in
> > FormInput.properties file, value of key "string" with this value
> > "<script>alert("xss");</script>" and I see that this script is executed
> > when
> > I load the page with this message key. So, i don't know if all components
> > escape or not values!
> >
> > 2. INTEGRITY: Actualy in my bank application we have hidden fileds in our
> > forms to store critical values and I want to know if wicket by default
> > guarantees data integrity or not. I want to guarantee integrity like HDIV
> > does in Struts and Spring MVC apps... is it possible in wicket?
> >
> > I have read in wicket's documentation that it is possible to encrypt urls
> > ensuring integrity (
> > http://cwiki.apache.org/WICKET/url-coding-strategies.html) but is it
> > possible to apply this strategy to forms? Or data tampering attacks are
> > possible in wicket forms with hidden fields?
> >
> > So, can Wicket ensure data integrity?
> >
> > 3. CONFIDENTIALITY: After read HDIV's reference document I have see that
> > in
> > our application data base identifiers are presented in html pages as combo
> > values ids and now we want to hide these values. I thought about
> > implementing a common renderer for all my wicket components to be
> > responsible for returning a value relative to the original values, but I
> > do
> > not like it because it is probably that my programmers don't use it in all
> > cases and it is a risk that I don't want to run. Is there any wicket
> > functionality to return confidential data, by default, for form's values?
> > I
> > do not want to rely on developers...
> >
> > 4. RANDOM TOKENS: I want to avoid CSRF attacks and I have read (
> > http://www.owasp.org/index.php/Top_10_2007-A5) that a possible solution is
> > to add random tokens to all requests. Is it possible to add a random
> > parameter to requests automatically in wicket?
> >
> > I need your help to answer this questions, pls!
> >
> > thanks!
> >
> > [1]
> >
> http://www.nabble.com/Shout-more-about-security-advantages-of-Wicket--to14800934.html#a14816425
> > [2] http://www.hdiv.org/docs/hdiv-reference.pdf
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/Security-Features-offered-by-Wicket-tp15738864p15834345.html
>
>
> Sent from the Wicket - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
