Re: CSRF protection and mounting pages

Wed, 18 Sep 2013 07:05:44 -0700 

Hi Jesse,
thanks, this looks like a promising solution! However I have two problems with it: 


1) Some ajax requests (not all requests, but e.g. expanding an item in a 
TreeTable) result in a ajax redirect to the actual ajax response, which 
is then displayed in the browser. I have not investigated this any 
further yet.



2) It seems to me that the ListenerInterfaceCryptoMapper allows 
unencrypted query strings? This would effectively surpress the CSRF 
protection.


Best Regards,
Andreas

Am 18.09.2013 15:14, schrieb Jesse Long:

Hi Andreas,

Try using this, in addition to normal CryptoMapper.

usage:

protected void init()
{
setRootRequestMapper(new CryptoMapper(getRootRequestMapper(), .....));

mountPage(....);
mountPage(....);
mountPage(....);
mountPage(....);
mountPage(....);


setRootRequestMapper(new 
ListenerInterfaceCryptoMapper(getRootRequestMapper(), ....));

}


Let me know if it works for you?

Cheers,
Jesse


import java.util.List;
import org.apache.wicket.Application;

import 
org.apache.wicket.core.request.handler.BookmarkableListenerInterfaceRequestHandler;
import 
org.apache.wicket.core.request.handler.ListenerInterfaceRequestHandler;

import org.apache.wicket.core.request.mapper.CryptoMapper;
import org.apache.wicket.request.IRequestHandler;
import org.apache.wicket.request.IRequestMapper;
import org.apache.wicket.request.Request;
import org.apache.wicket.request.Url;
import org.apache.wicket.util.IProvider;
import org.apache.wicket.util.crypt.ICrypt;
import org.apache.wicket.util.string.Strings;

public class ListenerInterfaceCryptoMapper
        extends CryptoMapper
{
    private final String parameterName;


    public ListenerInterfaceCryptoMapperCryptoMapper(String 
parameterName, IRequestMapper wrappedMapper, Application application)

    {
        super(wrappedMapper, application);
        this.parameterName = parameterName;
    }


    public ListenerInterfaceCryptoMapper(String parameterName, 
IRequestMapper wrappedMapper, IProvider<ICrypt> cryptProvider)

    {
        super(wrappedMapper, cryptProvider);
        this.parameterName = parameterName;
    }

    @Override
    protected Url decryptUrl(Request request, Url encryptedUrl)
    {

        List<Url.QueryParameter> queryParameters = 
encryptedUrl.getQueryParameters();


        if (queryParameters.size() == 1){
            Url.QueryParameter param = queryParameters.get(0);


            if (param.getName().equals(parameterName) && 
Strings.isEmpty(param.getValue()) == false){
                String decodedQueryString = 
getCrypt().decryptUrlSafe(param.getValue());



                return new Url(encryptedUrl.getSegments(), 
Url.parse(decodedQueryString, 
encryptedUrl.getCharset()).getQueryParameters(), 
encryptedUrl.getCharset());

            }
        }

        return encryptedUrl;
    }

    @Override
    protected Url encryptUrl(Url url)
    {
        // no encrypting of segments
        return url;
    }

    @Override
    public Url mapHandler(IRequestHandler requestHandler)
    {
        Url url = super.mapHandler(requestHandler);

        if (url.getQueryParameters().isEmpty()){
            return url;
        }


        if ((requestHandler instanceof 
ListenerInterfaceRequestHandler) || (requestHandler instanceof 
BookmarkableListenerInterfaceRequestHandler)){
            Url encryptedUrl = new Url(url.getSegments(), 
url.getCharset());



            encryptedUrl.addQueryParameter(parameterName, 
getCrypt().encryptUrlSafe(url.getQueryString()));


            return encryptedUrl;
        }else{
            return url;
        }
    }
}


On 18/09/2013 14:48, Andreas Kappler wrote:

Thanks for pointing out that ticket. So as I see it, there is 
currently no easy way to secure pages from CSRF attacks if they are 
mounted. To be honest I find it a bit surprising that no one 
contributed a solution for this common problem.



I will probably go for the solution with redirects instead of 
mounting pages, it seems to me to be the safest way.


Am 18.09.2013 14:08, schrieb Martin Grigorov:

Check https://issues.apache.org/jira/browse/WICKET-5326
It talks about similar things


On Wed, Sep 18, 2013 at 3:03 PM, Andreas Kappler <
andreas.kapp...@jato-consulting.de> wrote:


Hi Martin,


thanks for your answer. I tried that and I am not sure if I did 
something
wrong, but still the URLs generated for posting forms are not 
encrypted.


For example I have a page that contains a form to change the user's

password and I want the page to be available as /changePassword. 
Now if the
user submits the form, the form's action points to 
/changePassword?xyz,

which makes it open to CSRF.

Best Regards,
Andreas

Am 18.09.2013 13:09, schrieb Martin Grigorov:


Hi,

You can extend CryptoMapper and setup it as root mapper.
In your custom CryptoMapper you can override "Url mapHandler(final
IRequestHandler requestHandler)". If the passed requestHandler is
IPageClassRequestHandler then you can call #getPageClass() on it and
decide

whether to encrypt the Url or not. For all other IRequestHandlers 
- always

encrypt.


On Wed, Sep 18, 2013 at 11:43 AM, Andreas Kappler <

andreas.kappler@jato-**consulting.de 
<andreas.kapp...@jato-consulting.de>>

wrote:

  Hi!

I am currently looking into making our Wicket applications CSRF 
safe.

From

my understanding the CryptoMapper is the way to go, and I was 
able to set

it up working successfully.

There are however several mounted pages in the applications (with

WebApplication.mountPage), where the URLs should not be 
encrypted. This

also works fine, the CryptoMapper does not encrypt the URLs to these
pages,

but that also removes the CSRF protection. E.g. if one of these 
mounted
pages contains a form, the URL to post back the form data is 
unencrypted

and vulnerable to CSRF.


My idea was to not mount pages directly, but instead mount a Page 
that
redirects to the actual page. That way the page is still 
reachable with a

static URL, but all consequent requests are properly encrypted.

So instead of:

    webApplication.mountPage("****login", LoginPage.class);


Something like this:

    public class LoginPageRedirect extends WebPage {
        protected void onInitialize() {
            throw new RestartResponseException(****LoginPage.class);
        }
    }
    webApplication.mountPage("****login", LoginPageRedirect.class);


I did however not find anything in the wicket API that supports this

concept and now I am wondering if there is a better way to do 
this, e.g.

with a server side redirect.

I would be grateful for any ideas!

Best Regards,
Andreas

------------------------------****----------------------------**
--**---------

To unsubscribe, e-mail: 
users-unsubscribe@wicket.**apa**che.org<http://apache.org>
<users-unsubscribe@**wicket.apache.org<users-unsubscr...@wicket.apache.org> 


For additional commands, e-mail: users-h...@wicket.apache.org




------------------------------**------------------------------**--------- 

To unsubscribe, e-mail: 
users-unsubscribe@wicket.**apache.org<users-unsubscr...@wicket.apache.org>

For additional commands, e-mail: users-h...@wicket.apache.org





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org























					Reply via email to