wicket-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Grigorov <mgrigo...@apache.org>
Subject Re: CSRF protection by randomizing the page ID
Date Mon, 25 Nov 2013 15:48:41 GMT
Hi,

There is a (small) chance of clashes with this approach:

1) token = 0 => pageId == num

2) token = Integer.MAX_VALUE => pageId == num

The page id is session relative, so pageId=13 is Page1 for me but could be
Page21 for anyone else.


On Mon, Nov 25, 2013 at 5:15 PM, Andreas Kappler <
andreas.kappler@jato-consulting.de> wrote:

> Hi,
>
> I am working on securing a Wicket application against CSRF attacks, which
> are possible because Wicket URLs can be easily guessed by an attacker and
> requests contain no challenge token.
>
> I did my research and found
> https://issues.apache.org/jira/browse/WICKET-1782 and
> https://issues.apache.org/jira/browse/WICKET-5326 , pointing to using
> CryptMapper to encrypt the request URLs.
>
> However, wouldn't a simpler approach be to randomize the page ID that gets
> inserted into each URL? This way, an attacker can no longer issue requests
> as he cannot guess the URL of the page instance.
>
> The following basic session override does the trick:
> public class MySession extends WebSession {
>     private final int sessionToken;
>
>     public MySession(Request request) {
>         super(request);
>         sessionToken = RandomUtils.nextInt();
>     }
>
>     @Override
>     public synchronized int nextPageId() {
>         int num = super.nextPageId();
>         return (num + sessionToken) % Integer.MAX_VALUE;
>     }
> }
>
> However, this seems a little too simple for nobody to have thought of
> that. Do you see any problems with this code, or should this successfully
> protect against CSRF, without causing other issues?
>
> Best regards,
> Andreas
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message