[seam-dev] XSRF and JSF2
Shane Bryzak
shane.bryzak at jboss.com
Thu Oct 2 21:31:36 EDT 2008
Christian Bauer wrote:
>
> On Oct 03, 2008, at 03:20 , Shane Bryzak wrote:
>
>> Why couldn't it just request the application's home page and parse
>> the response to extract the token value?
>
> Because it's a random value that is generated for each form instance.
> A good random. Shane, you know what the JSF view identifier for
> server-side state saving is and how it is propagated onto the client
> and validated on the server? That's the XSRF protection. I'm wondering
> if you have the same in Seam Remoting and if in general, the
> randomness of the JSF identifier is good enough.
So, for this token to actually work, it must be propagated with every
single request that is sent to the server - included as a request
parameter with every single link, form submission, basically every
single GET and POST request that is made must include the token, right?
>
>> Ok, so in this case prevention is the best medicine, and if I'm
>> understanding correctly there's not much that can be done to protect
>> against/detect an XSS attack once the security hole has been exploited.
>
> I don't understand that. Let's forget about XSS for a moment and focus
> on XSRF.
Good idea.
> _______________________________________________
> seam-dev mailing list
> seam-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/seam-dev
More information about the seam-dev
mailing list