tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ulrich Stärk" <...@spielviel.de>
Subject Re: CSRF protection
Date Sun, 08 May 2011 01:48:22 GMT
Markus,

that all sounds very good. I'll have a look at it once I'm back from
vacation on Tuesday.

I'm curious to see what the others say.

Uli

Am Sa, 7.05.2011, 22:53 schrieb Markus Jung:
> Hi,
>
> I have created a quite simple app that I will use to demonstrate CSRF
> attacks. Throughout the development I will show how to protect this app
> with
> the CSRF protection I'm going to implement.
>
> The app is called LittleChirp and is a mockup of a basic social network
> site
> which allows to set a small status message for a user.
>
> There are 3 functionalities implemented:
>
> -) User Login
> -) Status Message Update and display of previous posts
> -) User Logout
>
> There a two pages Index and Status and one component Layout.
>
> The Index page contains the login logic. The authentication is done by
> using
> a custom AuthenticationState class placed in a util package.
>
> The Status page contains the logic to add status messages. The message are
> put in an ArrayList stored in the session. No persistence is used, since
> it
> would make the app more complex without any benifit for CSRF security
> demonstration. A post form is used to send new status messages to the
> page.
>
> The logout functionality is realized with a actionlink that issues a GET
> request. This is considered to be bad design. But I think it should also
> be
> possible to protect such actions. The logout functionality is part of the
> Layout component.
>
> The attack site is a simple HTML site that contains crafted requests to
> the
> locally started Tapestry app. There are two attacks, one for the status
> update form and one for the logout link.
>
> I think this will be a good show case for CSRF protection. If somebody is
> missing something please let me know.
>
> How to run it:
>
> Project name: victimapp
> Project hosted: http://code.google.com/p/gsoc2011-csrf-protection/
> SVN-Repo: http://gsoc2011-csrf-protection.googlecode.com/svn/trunk/
> Run: mvn jetty:run
> Browse: http://localhost:8080/victimapp
>
> Attacksite: just open the single html file provided. There are two actions
> that can be executed there.
>
> I will document this showcase at http://viennamarkus.blogspot.com/. I will
> also post infos about further progress there.
>
> Maybe it is also a good idea to put this at somepoint at the official
> tapestry documentation site.
>
> KR
> Markus
>
>
>
>
>
> --
> View this message in context:
> http://tapestry.1045711.n5.nabble.com/CSRF-protection-tp4379034p4379034.html
> Sent from the Tapestry - Dev mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: dev-help@tapestry.apache.org
>
>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org


Mime
View raw message