[WEB SECURITY] CSRF remedies in

Stephen de Vries stephen at twisteddelight.org
Thu Jan 15 03:07:20 EST 2009

On Jan 15, 2009, at 1:30 AM, Eric Rachner wrote:

> As most of us know, ASP.NET provides the ViewStateUserKey feature to  
> mitigate CSRF attacks.  But as a primarily Microsoft-oriented guy,  
> I'm not personally aware of any equivalent solutions for use in  
> other environments, J2EE in particular, except of course for  
> CSRFGuard.

Some Java web frameworks have implemented workflow and/or pageflow  
features.  This has the unexpected effect of sometimes also protecting  
against CSRF.  Two examples that spring to mind are Spring WebFlow and  
JBoss Seam.  There are a few important caveats:
- The form you want to protect has to be part of a defined pageflow.   
By default pages are not part of a pageflow.
- JBoss Seam's page token (conversation ID) is sequential by default,  
but you can change this.
- JBoss Seam's conversation ID stays constant for the duration of a  
"conversation" (which is defined by the developer) - so the same token  
could be used for a number of forms.

Looking over the Apache Wicket documentation, it supports building  
wizard style pages which looks as though it might also include a per  
page, or per wizard nonce, but I haven't confirmed this.  http://cwiki.apache.org/WICKET/building-wizard-functionality.html


Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list