• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Webobjects vulnerability to cross-site request forgery?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Webobjects vulnerability to cross-site request forgery?

  • Subject: Re: Webobjects vulnerability to cross-site request forgery?
  • From: Daniele Corti <email@hidden>
  • Date: Thu, 26 Jan 2012 17:16:09 +0100
Hi Giles,
Well, IMHO, only direct actions can be vulnerable to Cross-Site Attack.

To prevent this you can avoid to handle Session ID in Cookies and force urls to contains the Session ID in each request (BTW, this is the default WO behaviour). Second, you can check in Direct Actions that the http-referer domain is the same of your app (request().headerForKey("referer")).

For me, the best way to avoid Cross-Site Attack would be using session-less Direct Actions, with POST auth credential in each request. Under HTTPS of course...

Hope this help!

Bye
--
Daniele Corti
--
I DON'T DoubleClick


2012/1/26 Giles Palmer <email@hidden>
Hi All

We have an application that lives behind a login and all requests are session based component requests.  We have been asked by a user about our vulnerability to Cross-site request forgery.

http://en.wikipedia.org/wiki/Cross-site_request_forgery
and
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

What do you guys do to protect against this? Are component urls and an authenticated session enough to prevent this?

Advice much appreciated.


Regards


Giles
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden



 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >Webobjects vulnerability to cross-site request forgery? (From: Giles Palmer <email@hidden>)

  • Prev by Date: Webobjects vulnerability to cross-site request forgery?
  • Next by Date: Re: Webobjects vulnerability to cross-site request forgery?
  • Previous by thread: Webobjects vulnerability to cross-site request forgery?
  • Next by thread: Re: Webobjects vulnerability to cross-site request forgery?
  • Index(es):
    • Date
    • Thread