[seam-dev] XSRF and JSF2

[Shane Bryzak]

I created a new JIRA issue to remind me to do something about 
preventing/limiting XSS attacks in Seam Remoting:

https://jira.jboss.org/jira/browse/JBSEAM-3482

However I'm still not totally clear how I should be tackling this 
problem, probably because I don't fully understand the mechanism behind 
an XSS attack.  We already have an incremental call ID value passed with 
each remote request, so this could possibly be used as our "canary" 
value.  In any case, could you please walk me through the moving parts 
of an XSS attack step by step just so we're clear on what needs to be 
protected?


Christian Bauer wrote:
> Because it is back on Slashdot again today, I remembered why the 
> "let's automatically build a view if we don't have one in RESTORE VIEW 
> phase" proposal in JSF 2.0 was not sitting right with me.
>
> You need a little background on XSRF (Wikipedia or something) and see 
> the older discussion here and especially my last comment:
>
> http://www.seamframework.org/Community/IsSeamRemotingVulnerableToCrossSiteRequestForgery 
>
>
> I actually now think that we should have a cryptographically strong 
> (and of course mandatory) view identifier for better XSRF protection. 
> There are some other solutions worth discussing but AFAIK most of the 
> good ones involve a token/session mapping of some kind, so we run into 
> the "view has expired" problem again.
>
> _______________________________________________
> seam-dev mailing list
> seam-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/seam-dev