[seam-dev] XSRF and JSF2
Shane Bryzak
shane.bryzak at jboss.com
Wed Oct 1 09:22:14 EDT 2008
I created a new JIRA issue to remind me to do something about
preventing/limiting XSS attacks in Seam Remoting:
https://jira.jboss.org/jira/browse/JBSEAM-3482
However I'm still not totally clear how I should be tackling this
problem, probably because I don't fully understand the mechanism behind
an XSS attack. We already have an incremental call ID value passed with
each remote request, so this could possibly be used as our "canary"
value. In any case, could you please walk me through the moving parts
of an XSS attack step by step just so we're clear on what needs to be
protected?
Christian Bauer wrote:
> Because it is back on Slashdot again today, I remembered why the
> "let's automatically build a view if we don't have one in RESTORE VIEW
> phase" proposal in JSF 2.0 was not sitting right with me.
>
> You need a little background on XSRF (Wikipedia or something) and see
> the older discussion here and especially my last comment:
>
> http://www.seamframework.org/Community/IsSeamRemotingVulnerableToCrossSiteRequestForgery
>
>
> I actually now think that we should have a cryptographically strong
> (and of course mandatory) view identifier for better XSRF protection.
> There are some other solutions worth discussing but AFAIK most of the
> good ones involve a token/session mapping of some kind, so we run into
> the "view has expired" problem again.
>
> _______________________________________________
> seam-dev mailing list
> seam-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/seam-dev
More information about the seam-dev
mailing list