Hi,
I am working on securing a Wicket application against CSRF attacks,
which are possible because Wicket URLs can be easily guessed by an
attacker and requests contain no challenge token.
I did my research and found
https://issues.apache.org/jira/browse/WICKET-1782 and
https://issues.apache.org/jira/browse/WICKET-5326 , pointing to using
CryptMapper to encrypt the request URLs.
However, wouldn't a simpler approach be to randomize the page ID that
gets inserted into each URL? This way, an attacker can no longer issue
requests as he cannot guess the URL of the page instance.
The following basic session override does the trick:
public class MySession extends WebSession {
private final int sessionToken;
public MySession(Request request) {
super(request);
sessionToken = RandomUtils.nextInt();
}
@Override
public synchronized int nextPageId() {
int num = super.nextPageId();
return (num + sessionToken) % Integer.MAX_VALUE;
}
}
However, this seems a little too simple for nobody to have thought of
that. Do you see any problems with this code, or should this
successfully protect against CSRF, without causing other issues?
Best regards,
Andreas
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
