[Seaside-dev] Seaside and CSRF attacks
Max Leske
maxleske at gmail.com
Tue Aug 21 19:44:12 UTC 2018
Hi Tim,
CSRF usually requires a URL that can trigger an action. In Seaside, if
you use continuations, the URL will contain a continuation key that
specifies the state of the session (the session will usually be
identified by a cookie). Every callback (action) has a key.
Since the continuation key is a random string bound to the session
(multiple session could use the same continuation key without problems)
an attacker would have to guess the continuation key in order to perform
a CSRF. In addition callbacks are usually state dependent, i.e. specific
to a page and the state to that page, so it's usually not possible to
trigger a callback outside of this context.
Of course, you can use Seaside in a way that totally makes CSRF trivial
;)
As for classes, that depends on the version of Seaside you want to use.
Cheers,
Max
On 21 Aug 2018, at 21:08, tim Rowledge wrote:
> It's been a looong time since I did any work with Seaside. In fact I
> suspect the last thing I did with it was to persuade Avi that separate
> template files etc weren't nice and I think that lead to seaside 2.
>
> Right now I need to remember/relearn where the system deals with the
> keys that ensure the incoming requests talk to the right widgets. I
> have a problem with convincing some potential customers that a seaside
> application is resistant to a CSRF attack and I'm having a hell of a
> time digging into the current code. Pointers to to the relevant
> classes would save some strain on my aging eyes. If anyone has any
> specific knowledge about the whole CSRF thing I'd be delighted to hear
> about it! I've tried testing with some OWASP tools (nasty icky java)
> but it's hard trying to make sense of the problem.
>
> (It doesn't help that this is within a VW8.3 system and I haven't used
> VW since I stopped being the manager of the VW development group - in
> '95! )
>
> tim
> --
> tim Rowledge; tim at rowledge.org; http://www.rowledge.org/tim
> Eagles may soar, but weasels aren't sucked into jet engines.
>
>
> _______________________________________________
> seaside-dev mailing list
> seaside-dev at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev
More information about the seaside-dev
mailing list