voyent
CSRF / CSS protection?  XML
Forum Index -> General Help
Author Message
farble1670

Joined: 13/Jan/2009 00:00:00
Messages: 66
Offline


does icefaces offer any particular protection against CSRF (cross site request forgery) or XSS (cross site scripting) vulnerabilities?

if anyone has any pointers to discussions of JSF / CRSF + XSS, it would be appreciated.

thanks.
wilbur_t

Joined: 26/Oct/2004 00:00:00
Messages: 87
Offline


You can refer to the security whitepaper at http://www.icefaces.org/main/resources/whitepapers.iface for information.
farble1670

Joined: 13/Jan/2009 00:00:00
Messages: 66
Offline


thanks wilbur,

that document doesn't reference CSRF at all, and i don't see anything in there to indicate that icefaces does anything in particular to avoid it.

can you confirm this?
rainwebs


Joined: 24/Jul/2007 00:00:00
Messages: 237
Offline


If I understand the limitations section in

http://en.wikipedia.org/wiki/Cross-site_request_forgery

correctly the most important thing in your security design is to cross check the form entries you get.

I wonder if the "simple" usage of Spring Security delivers what you need here.

ICEfaces book . ICEcube . ICEfusion . ICEfaces Technical Blog Award
farble1670

Joined: 13/Jan/2009 00:00:00
Messages: 66
Offline


i'm not using spring ... but this is what i'm thinking for pure JSF,

session bean, say FormSecurityBean

setToken(String)
getToken()

in each form, add a,

<ice:inputHidden value=#{formSecurityBean.token}/>

getToken() generates a random #, and encrypts it with key known only the server (obviously). the unencrypted value is stored in a set and returned.
setToken(String) accepts the encrypted random string, and decrypts it. if the decrypted value is in the set, then success. remove the value from the set. if it's not in the set, then fail, it's a CSRF.

there might also need to be a timestamp on the tokens so they expire after a certain time (they'd time out w/ the session of cours,e but that might not be sufficient). or perhaps a max size of the set might be obtained. for example, the # of forms that have been rendered for the user but not submitted would probably be small.

*i think* the above would work, below there's nothing the app could do to protect the ajax posts that icefaces performs.

 
Forum Index -> General Help
Go to:   
Powered by JForum 2.1.7ice © JForum Team