Issue Details (XML | Word | Printable)

Key: WICKET-1782
Type: Improvement Improvement
Status: Resolved Resolved
Resolution: Fixed
Priority: Major Major
Assignee: Igor Vaynberg
Reporter: Gorka Vicente
Votes: 0
Watchers: 2
Operations

If you were logged in you would be able to see more operations.
Wicket

Protection against CSRF (cross-site request forgery) attacks

Created: 08/Aug/08 11:26 AM   Updated: 22/Sep/08 05:50 AM
Return to search
Component/s: wicket
Affects Version/s: 1.3.4
Fix Version/s: 1.3.5, 1.4-RC1

Time Tracking:
Not Specified

Resolution Date: 08/Aug/08 10:14 PM


 Description  « Hide

Currently Wicket doesn't include a uniform and automatic solution against CRSF vulnerability or OWASP-A5 vulnerability [1].

In order to solve CSRF is necessary to avoid static HTML and create dynamic or aleatory HTML per user.

Two posible solutions:

1. Include a random token (aleatory parameter) to each url (link or form). The name and the value of this parameter can be the same per user or change per request (more secure but perform worse). It seems that can be implemented creating other implementation of IRequestCodingStrategy interface.

2. Encrypt all urls (links and form urls) using "Request Coding Strategy" strategy offered currently by wicket (CryptedUrlWebRequestCodingStrategy). Provide a security factory to use a different key per user or add some aleatory data to encrypted data (for example user jessionid). (SunJceCrypt, bundled in Wicket, is vulnerable to CSRF because obtained encrypted string is the same for all the users)


[1] http://www.owasp.org/index.php/Top_10_2007-A5

 All   Comments   Work Log   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Johan Compagner added a comment - 08/Aug/08 11:59 AM
about 1:
include a random token in each url that wicket generates?
is then only 1 token valid for 1 request?
That will not work for wicket. because of partial ajax updates of subsets of the pages then we have urls with token Y and with token Y+1 one 1 page and both urls old and new onces have to work fine.

[ Permlink | « Hide ]
Igor Vaynberg added a comment - 08/Aug/08 01:45 PM
yeah, hdiv guys already mentioned they break ajax support for apps that use their filter, so (1) is definetely a no-go for us. we are going to go the (2) route, i am thinking a simple sunjcecrypt and a [sessionid.uuid] key...

[ Permlink | « Hide ]
Johan Compagner added a comment - 08/Aug/08 01:55 PM
do we have a jsessionid always?
stateless pages?

What to do if for example there is not session yet? Then the default key is just used?

[ Permlink | « Hide ]
Igor Vaynberg added a comment - 08/Aug/08 03:50 PM
in order to have csrf protection you have to create an httpsession...stateless apps are not secure because you need a mirror token on the server

[ Permlink | « Hide ]
Igor Vaynberg added a comment - 08/Aug/08 10:14 PM
the default crypt factory is now KeyInSessionSunJceCryptFactory which uses a randomly generated encryption key stored in httpsession.

[ Permlink | « Hide ]
Jörn Zaefferer added a comment - 22/Aug/08 08:58 AM
I found the commit on svnsearch (http://svnsearch.org/svnsearch/repos/ASF/search?logMessage=csrf). Any idea when 1.3.5 will be released? This looks like a much better solution then trying to build my own "secure" forms.

[ Permlink | « Hide ]
Igor Vaynberg added a comment - 25/Aug/08 06:52 PM
in the near future is all i can say. if you would like it to be released earlier start a thread on the mailing list

[ Permlink | « Hide ]
Kent Tong added a comment - 22/Sep/08 05:50 AM
Is it enough to make sure the pagemap id (representing the window) is random? This way another window will be unable to forge the request.


Powered by a free Atlassian JIRA open source license for Apache Software Foundation. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators