Hi, There is a (small) chance of clashes with this approach:
1) token = 0 => pageId == num 2) token = Integer.MAX_VALUE => pageId == num The page id is session relative, so pageId=13 is Page1 for me but could be Page21 for anyone else. On Mon, Nov 25, 2013 at 5:15 PM, Andreas Kappler < [email protected]> wrote: > Hi, > > I am working on securing a Wicket application against CSRF attacks, which > are possible because Wicket URLs can be easily guessed by an attacker and > requests contain no challenge token. > > I did my research and found > https://issues.apache.org/jira/browse/WICKET-1782 and > https://issues.apache.org/jira/browse/WICKET-5326 , pointing to using > CryptMapper to encrypt the request URLs. > > However, wouldn't a simpler approach be to randomize the page ID that gets > inserted into each URL? This way, an attacker can no longer issue requests > as he cannot guess the URL of the page instance. > > The following basic session override does the trick: > public class MySession extends WebSession { > private final int sessionToken; > > public MySession(Request request) { > super(request); > sessionToken = RandomUtils.nextInt(); > } > > @Override > public synchronized int nextPageId() { > int num = super.nextPageId(); > return (num + sessionToken) % Integer.MAX_VALUE; > } > } > > However, this seems a little too simple for nobody to have thought of > that. Do you see any problems with this code, or should this successfully > protect against CSRF, without causing other issues? > > Best regards, > Andreas > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
