Hey Misi, 2010/2/8 misi e <[email protected]>: > Koen, > I am afraid I failed to described well the example with the two users. > I also understand that the following text tries to give an explanation to my > worries: > Attacks against the application logic: an attacker issues a request to some > page or service that is only accessible after authorization. > > Wt protects the application logic because all incoming requests are > interpreted in one central, well-tested routine. The request is parsed and > only*exposed event signals* may be triggered. Exposed event signals are > attached to widgets that are currently rendered on the screen. For example, > a button click on a button that is currently shown on the screen. In this > way, the logic of the application (such as for example: you need to first > log > in, and then only you may request for a payment) is automatically validated: > only code in slots connected to exposed signals can be invoked by the user. > > I am aware that the session ID is secret. However I still do not understand > if the described mechanism would protect in the following case: > I have the edit post button available, I am the owner of post with id=id1. I > click on edit post, will get the screen with edit post. I have the necessary > slots exposed, the save button's signal is connected etc. etc. Inside my > browser there should be something that identifies the object. This is very > probably the id of the post. Now if want to play the bad guy I inject a > javascript and trigger on the browser side the save, but each time with > id=1..10000. That means I could overwrite all the posts with id=1..1000 even > if they do not belong to me.
Wt will never expose any part of your business logic on the client. In this case, the button is implicitly associated with the particular post on the server side, and only the button is identified at the client (not the post id) [Wt does not even know there is a post involved, its sole task is to render widgets and relay events]. As a bad guy you cannot do anything since there is only button available, and that is the only button whose click event will be accepted. > About the beer: I wrote last minute an email asking you (emweb people, how > many are you at emweb focused on wt, by the way :) ) to wear some WT slot so > that we can send signal... :) Yes, sorry, I completely misjudged the beer event's popularity and size. Next year we will make sure we can be identified easily! (we are currently still only 3 people at Emweb) Regards, koen ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ witty-interest mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/witty-interest
