[WEB SECURITY] CSRF remedies in
Stephen de Vries
stephen at twisteddelight.org
Thu Jan 15 03:07:20 EST 2009
On Jan 15, 2009, at 1:30 AM, Eric Rachner wrote:
> As most of us know, ASP.NET provides the ViewStateUserKey feature to
> mitigate CSRF attacks. But as a primarily Microsoft-oriented guy,
> I'm not personally aware of any equivalent solutions for use in
> other environments, J2EE in particular, except of course for
> CSRFGuard.
Some Java web frameworks have implemented workflow and/or pageflow
features. This has the unexpected effect of sometimes also protecting
against CSRF. Two examples that spring to mind are Spring WebFlow and
JBoss Seam. There are a few important caveats:
- The form you want to protect has to be part of a defined pageflow.
By default pages are not part of a pageflow.
- JBoss Seam's page token (conversation ID) is sequential by default,
but you can change this.
- JBoss Seam's conversation ID stays constant for the duration of a
"conversation" (which is defined by the developer) - so the same token
could be used for a number of forms.
Looking over the Apache Wicket documentation, it supports building
wizard style pages which looks as though it might also include a per
page, or per wizard nonce, but I haven't confirmed this. http://cwiki.apache.org/WICKET/building-wizard-functionality.html
Stephen
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
More information about the websecurity
mailing list