Re: Cross-Site Request Forgery
Re: Cross-Site Request Forgery
- Subject: Re: Cross-Site Request Forgery
- From: Chuck Hill <email@hidden>
- Date: Fri, 15 Dec 2017 20:39:26 +0000
- Thread-topic: Cross-Site Request Forgery
Hi Leigh,
There is no build-in way to do this. For Direct Actions you have to do it on
your own. Component Actions are already somewhat safe due to the obscure
nature of the element ID on the URL. But if someone knows WO and is familiar
with the structure of your site there is still a window for CSRF attacks. I
don’t think you can do anything automatic without having access to the WO
source code, but the ERXForm etc. subclasses that Wonder installs might let you
create an automated way of doing this.
Chuck
From: Webobjects-dev
<webobjects-dev-bounces+chill=email@hidden> on behalf of Leigh
Kivenko <email@hidden>
Date: Friday, December 15, 2017 at 11:56 AM
To: WebObjects-Dev <email@hidden>
Subject: Cross-Site Request Forgery
Hello,
Just wondering if anyone has ever had to harden their WebObjects applications
against CSRF:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
Is there a way to have WebObjects do this automatically or do we need to
implement this on our own?
Thanks,
Leigh Kivenko | VP, Technology
PortfolioAid
t. 416-479-0523 | e. email@hidden<mailto:email@hidden>
This e-mail may be privileged and confidential. If you received this e-mail in
error, please do not use, copy or distribute it, but advise me immediately (by
return e-mail or otherwise), and delete the e-mail.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden