[seam-dev] XSRF and JSF2

Dan Allen dan.j.allen at gmail.com
Wed Oct 1 13:19:28 EDT 2008 

I really don't see how the problems you cited in the response below
have anything to do with a stale view. Sure, I could write a bot that
hits a website and does a legitimate and timely postback to submit a
contact form over and over. I could also attempt to use someone else's
username and attempt to log in to seamframework.org a dozen times and
will end up locking their account (if that security measure is
enforced). The website just has to be smarter than that.

When used appropriately, I still feel there are legitimate times when
the view can be built during restore view w/o introducing any more
security problems than naturally exist on the web. It would be the
same as giving them a fresh view and asking them to enter the exact
same data over again and submit it.

-Dan

On Wed, Oct 1, 2008 at 1:00 PM, Christian Bauer
<christian.bauer at gmail.com> wrote:
>
> On Oct 01, 2008, at 18:32 , Dan Allen wrote:
>
>> A contact form is another great example. It would be no
>> different than implementing a GET request with a page action. No doubt
>> I am not thinking of some obscure attack, so feel free to cite where
>> my logic is faulty, but I believe there is such a thing as a stateless
>> page.
>
> Well, would you like that some "other" website submits "your" contact form a
> hundred times? This might be just a DoS instead of a real exploit but it's
> still not something I would want to happen.
>
> Anything that is non-safe, in the sense that resource state is permanently
> modified, no matter if you abuse a GET (which is supposed to be safe) or
> have a XSRF POST problem, is potentially damaging. Even a login form can be
> problematic, let's say you lock the account after three unsuccessful
> authentication attempts?
>
> _______________________________________________
> seam-dev mailing list
> seam-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/seam-dev
>



-- 
Dan Allen
Software consultant | Author of Seam in Action

http://mojavelinux.com
http://mojavelinux.com/seaminaction

NOTE: While I make a strong effort to keep up with my email on a daily
basis, personal or other work matters can sometimes keep me away
from my email. If you contact me, but don't hear back for more than a week,
it is very likely that I am excessively backlogged or the message was
caught in the spam filters.  Please don't hesitate to resend a message if
you feel that it did not reach my attention.

More information about the seam-dev mailing list