• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Ajax and CSRF vulnerability
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Ajax and CSRF vulnerability

  • Subject: Re: Ajax and CSRF vulnerability
  • From: Kai Lochbaum <email@hidden>
  • Date: Thu, 06 Dec 2018 15:06:50 +0000
  • Thread-topic: Ajax and CSRF vulnerability
Hi Pierre,



there is a global AjaxOptions.defaultOptions function which is used in all
Wonder Ajax-Requests where you can hookup such things via JavaScript.



We also use it to send a CSRF token as requestHeader:



if (AjaxOptions && typeof AjaxOptions.defaultOptions === 'function' &&
csrftoken) {

      var originalFn = AjaxOptions.defaultOptions;

      AjaxOptions.defaultOptions = function(additionalOptions) {

            Object.extend(additionalOptions, { 'requestHeaders': { csrftoken:
csrftoken }});

            return originalFn(additionalOptions);

      }

}





Then you just need to add some JS to get the csrftoken variable from your
hidden field and add that JavaScript code after the wonder.js script tag.

For validation you obviously have to check the header in this implementation.





Cheers,

Kai Lochbaum

--

salient GmbH, Lindleystraße 12, 60314 Frankfurt

Telefon Zentrale: 069 / 65 00 96 - 0  |  http://www.salient-doremus.de
<http://www.salient-doremus.de/>



Am 06.12.18, 15:57 schrieb "GILQUIN Pierre" <email@hidden>:



    Hi,



    1) I used a hidden field wosid for prevent CSRF vulnerability for a
standard WOnder application (<input type="hidden" name="wosid"
value="wIrACwBfmFeiVyNcVMFkow"> ) .

    I just compare this hidden field with the real sessionID.



    Now, I want to used the same protection in some ajaxified components.
Problem : by default, the http post is partial and wosid is not sent.

    « fullSubmit = true » cannot be easily used in this app.



    Is there a way to config/adapt the Ajax Wonder framework so that the wosid
will be always be added to the partial formValues ?



    2) This application must be deployed in a Tomcat environment. I have seen a
cookie with the Tomcat session JSessionID.

    Is there a way to access the Tomcat JSessionId in the WOnder app in order
to compare it with the value in the cookie ?



    Thanks for any help

    Pierre



     _______________________________________________

    Do not post admin requests to the list. They will be ignored.

    Webobjects-dev mailing list      (email@hidden)

    Help/Unsubscribe/Update your Subscription:





    This email sent to email@hidden



 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • RE: Ajax and CSRF vulnerability
      • From: Leigh Kivenko <email@hidden>
References: 
 >Ajax and CSRF vulnerability (From: GILQUIN Pierre <email@hidden>)

  • Prev by Date: Ajax and CSRF vulnerability
  • Next by Date: RE: Ajax and CSRF vulnerability
  • Previous by thread: Ajax and CSRF vulnerability
  • Next by thread: RE: Ajax and CSRF vulnerability
  • Index(es):
    • Date
    • Thread