CSRF uses urls to do something on another side right? for example <img src=" http://bank.example/withdraw?account=bob&amount=1000000&for=mallory";>
How would that work in a default wicket application? Is it really so stupid developed that these kind of things uses client side state? So this cant be done with just an url. So you have to have real scripting.. So for this to work in wicket you have to know upfront so many things.. First the page id of the bank transfer page.. Which is pretty random. Only if all users would go over the same path always to the same page then the id could be guessed. Then it has to get the right form, fill in the right values and do the submit And do modern browsers allow js script like that? johan On Thu, Aug 7, 2008 at 10:54 AM, Arthur Ahiceh <[EMAIL PROTECTED]>wrote: > > >> 4. Yes. See mailing list for earlier answers. There are more hardening > options such as encrypting urls. > > Even encrypting the urls Wicket is vulnerable to CSRF because the key used > to encrypt is shared by all users of application. Wicket is an extensible > framework where you to add some new functionallity "easily" but it doesn't > provide any secure solution by default to protect you against CSRF attacks! > > > > > Erik van Oosten wrote: > > > > Hello Marcelo, > > > > 1. No. The flip side of having full control of the HTML is that you need > > to write it yourself. > > > > 2. In Wicket it is trivial to keep state (read the conversation state) > > on the server, local to the dialog/panel you are working with. No > > official conversation support is therefore needed. > > > > 3. Yes. See WicketTester. > > > > 4. Yes. See mailing list for earlier answers. There are more hardening > > options such as encrypting urls. > > > > Regards, > > Erik. > > > > > > Marcelo Morales wrote: > >> Hello > >> > >> I've browsed over the wicket documentation and examples. There are a > >> couple of things I don't seem able to determine. So I would really > >> appreciate your input on this questions. > >> > >> 1 Can I write a web application without coding any HTML whatsoever?... > >> I mean, is there some kind of "html" or "whole page" component which > >> renders an entire HTML page? > >> 2 Is there a way to work on dialogs (also known as conversations) as > >> opposed to sessions?... maybe this question is nonsense and I didn't > >> understand the whole page version management mechanism. > >> 3 Does it come with some kind of integration testing? > >> 4 Is it possible (or feasible) to implement some kind of "page > >> hardening"? I am seeking something to protect victims of CSRF attacks > >> from other sites. A input name randomizer comes to mind (which would > >> make it impossible to selenium test it) > >> > >> Regads > >> > >> Marcelo Morales > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > > > > -- > > > > -- > > Erik van Oosten > > http://day-to-day-stuff.blogspot.com/ > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > -- > View this message in context: > http://www.nabble.com/Questions-about-wicket-features-tp18857860p18866486.html > Sent from the Wicket - User mailing list archive at Nabble.com. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
