[Seaside-dev] Seaside and CSRF attacks

Max Leske maxleske at gmail.com
Tue Aug 21 19:44:12 UTC 2018 

Hi Tim,

CSRF usually requires a URL that can trigger an action. In Seaside, if 
you use continuations, the URL will contain a continuation key that 
specifies the state of the session (the session will usually be 
identified by a cookie). Every callback (action) has a key.
Since the continuation key is a random string bound to the session 
(multiple session could use the same continuation key without problems) 
an attacker would have to guess the continuation key in order to perform 
a CSRF. In addition callbacks are usually state dependent, i.e. specific 
to a page and the state to that page, so it's usually not possible to 
trigger a callback outside of this context.

Of course, you can use Seaside in a way that totally makes CSRF trivial 
;)

As for classes, that depends on the version of Seaside you want to use.

Cheers,
Max


On 21 Aug 2018, at 21:08, tim Rowledge wrote:

> It's been a looong time since I did any work with Seaside. In fact I 
> suspect the last thing I did with it was to persuade Avi that separate 
> template files etc weren't nice and I think that lead to seaside 2.
>
> Right now I need to remember/relearn where the system deals with the 
> keys that ensure the incoming requests talk to the right widgets. I 
> have a problem with convincing some potential customers that a seaside 
> application is resistant to a CSRF attack and I'm having a hell of a 
> time digging into the current code. Pointers to to the relevant 
> classes would save some strain on my aging eyes. If anyone has any 
> specific knowledge about the whole CSRF thing I'd be delighted to hear 
> about it! I've tried testing with some OWASP tools (nasty icky java) 
> but it's hard trying to make sense of the problem.
>
> (It doesn't help that this is within a VW8.3 system and I haven't used 
> VW since I stopped being the manager of the VW development group - in 
> '95! )
>
> tim
> --
> tim Rowledge; tim at rowledge.org; http://www.rowledge.org/tim
> Eagles may soar, but weasels aren't sucked into jet engines.
>
>
> _______________________________________________
> seaside-dev mailing list
> seaside-dev at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev

More information about the seaside-dev mailing list