[seam-dev] JSF and CSRF
Dan Allen
dan.j.allen at gmail.com
Wed Mar 11 10:56:39 EDT 2009
On Wed, Mar 11, 2009 at 10:36 AM, Ashish Tonse <ashish.tonse at gmail.com>wrote:
> Regarding the generation of the hash, would s:token also address the
> possibility of replay attacks? (Where the same request can be sent multiple
> times without having to modify the contents, but still have a malicious
> effect). If it doesn't, I would consider looking at also generating a random
> number when rendering s:token, and that random number is stored on the
> server viewstate and client side (for each request), and used in
> calculating the hash. This number would change with each request.
>
> If this is already address issue, please ignore. My knowledge of internal
> JSF workings (form client ID for example), is limited compared to that of
> hashing/replay attacks/etc.
It's a valid concern. Currently in Seam, reply attacks are only addressed if
you end the conversation in the POST (hence the conversation id is no longer
valid and Seam will abort the request). But yes, let's work out exactly what
gets added when. The details help this move along.
The problem I see is that in client-side state saving, at least, the view is
controlled by the client, so you can't change the view-scope because the
client is providing it. It would work with server-side state saving since
the server controls the view scope. A random number would be stored in the
form each time it is rendered and that random number is also included in the
view signature. That number would then be used when recreating the hash
during decode.
UIForm#setAttribute("renderStamp", randomValue);
sha1( signature = contextPath + "," + viewId + "," + formClientId + "," +
renderStamp, salt = browserUid )
So basically, this is inconsequential in client-side state saving, but will
harden server-side state saving.
-Dan
--
Dan Allen
Senior Software Engineer, Red Hat | Author of Seam in Action
http://mojavelinux.com
http://mojavelinux.com/seaminaction
NOTE: While I make a strong effort to keep up with my email on a daily
basis, personal or other work matters can sometimes keep me away
from my email. If you contact me, but don't hear back for more than a week,
it is very likely that I am excessively backlogged or the message was
caught in the spam filters. Please don't hesitate to resend a message if
you feel that it did not reach my attention.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/seam-dev/attachments/20090311/1e800cb4/attachment.html
More information about the seam-dev
mailing list