Koen,
I am afraid I failed to described well the example with the two users.
I also understand that the following text tries to give an explanation to my
worries:
Attacks against the *application logic*: an attacker issues a request to
some page or service that is only accessible after authorization.
- Wt protects the application logic because all incoming requests are
interpreted in one central, well-tested routine. The request is parsed and
only**exposed event signals** may be triggered. Exposed event signals are
attached to widgets that are currently rendered on the screen. For example,
a button click on a button that is currently shown on the screen. In this
way, the logic of the application (such as for example: you need to first
log
in, and then only you may request for a payment) is automatically
validated: only code in slots connected to exposed signals can be invoked by
the user.
I am aware that the session ID is secret. However I still do not understand
if the described mechanism would protect in the following case:
I have the edit post button available, I am the owner of post with id=id1. I
click on edit post, will get the screen with edit post. I have the necessary
slots exposed, the save button's signal is connected etc. etc. Inside my
browser there should be something that identifies the object. This is very
probably the id of the post. Now if want to play the bad guy I inject a
javascript and trigger on the browser side the save, but each time with
id=1..10000. That means I could overwrite all the posts with id=1..1000 even
if they do not belong to me.
Maybe your argument would be that after the first save, the object on the
server side would be destroyed so you cannot make a second save. But in that
case I would always alternate "edit"/"malicious save" etc. etc.
About the beer: I wrote last minute an email asking you (emweb people, how
many are you at emweb focused on wt, by the way :) ) to wear some WT slot so
that we can send signal... :)
mobiphil
------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
witty-interest mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/witty-interest
