Re: Webobjects vulnerability to cross-site request forgery?
Re: Webobjects vulnerability to cross-site request forgery?
- Subject: Re: Webobjects vulnerability to cross-site request forgery?
- From: Giles Palmer <email@hidden>
- Date: Thu, 26 Jan 2012 16:54:08 +0000
Hi Dov / Daniele
Thanks for this. I was not actually talking about "cross site scripting" but "cross-site request forgery" according to the link http://en.wikipedia.org/wiki/Cross-site_request_forgery
I think, as Daniele suggests, that the way that component urls are constructed means they are not vulnerable whereas direct action urls are. As our site uses authenticated sessions and component actions then we should be ok, but i would like confirmation.
Regards
Giles
> HTTPS will not stop cross site scripting attacks. The only way to stop cross site scripting and request forging attacks is to validate all URL parameters against a white list and validate all posts coming from your application were from your application and not a BURP suite type of hack tool. OWASP (http://www.owasp.org) has a lot of really good information and tools that you can integrate into a WO app to greatly reduce security issues (notice I said reduce not eliminate)
>
> Dov Rosenberg
>
>
> On Jan 26, 2012, at 8:16 AM, Daniele Corti wrote:
>
>> Hi Giles,
>> Well, IMHO, only direct actions can be vulnerable to Cross-Site Attack.
>>
>> To prevent this you can avoid to handle Session ID in Cookies and force urls to contains the Session ID in each request (BTW, this is the default WO behaviour). Second, you can check in Direct Actions that the http-referer domain is the same of your app (request().headerForKey("referer")).
>>
>> For me, the best way to avoid Cross-Site Attack would be using session-less Direct Actions, with POST auth credential in each request. Under HTTPS of course...
>>
>> Hope this help!
>>
>> Bye
>> --
>> Daniele Corti
>> --
>> I DON'T DoubleClick
>>
>>
>> 2012/1/26 Giles Palmer <email@hidden>
>> Hi All
>>
>> We have an application that lives behind a login and all requests are session based component requests. We have been asked by a user about our vulnerability to Cross-site request forgery.
>>
>> http://en.wikipedia.org/wiki/Cross-site_request_forgery
>> and
>> https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
>>
>> What do you guys do to protect against this? Are component urls and an authenticated session enough to prevent this?
>>
>> Advice much appreciated.
>>
>>
>> Regards
>>
>>
>> Giles
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Webobjects-dev mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>>
>>
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Webobjects-dev mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden