[Seaside-dev] Seaside and CSRF attacks

Esteban A. Maringolo emaringolo at gmail.com
Tue Aug 21 20:07:06 UTC 2018 

Hi,

On 21/08/2018 16:44, Max Leske wrote:
> Hi Tim,
>
> CSRF usually requires a URL that can trigger an action. In Seaside, if
> you use continuations, the URL will contain a continuation key that
> specifies the state of the session (the session will usually be
> identified by a cookie). Every callback (action) has a key.

If you use plain HTTP (it is, non-HTTPS) and get a man in the middle it
would be simple to activate more than once the same continuation.
However a MITM is sophisticated even in the simplest case, so unless you
application/data is critical, it isn't a big concern either, but would
be an unnecesary risk since it's easy to use SSL these days.

> Since the continuation key is a random string bound to the session
> (multiple session could use the same continuation key without problems)
> an attacker would have to guess the continuation key in order to perform
> a CSRF. In addition callbacks are usually state dependent, i.e. specific
> to a page and the state to that page, so it's usually not possible to
> trigger a callback outside of this context.

On the component level that would be true, but the state of pages and
the state of the underlying model objects or data stored in a database
is unpredictable.

In its "heresy" an HTTP GET is not idempotent in Seaside, so requesting
it more that once and having that action doing harm depends more on how
the Seaside application was programmed, but in my experience (and way of
working with Seaside) you don't program "defending" against that.

In an AJAX world, I'd like callbacks to be valid only once.

> Of course, you can use Seaside in a way that totally makes CSRF trivial ;)

Summarizing I agree with what Max mentions, and basically Seaside
provides some sort of security through obfuscation regarding the
crafting of the CSRF, since the keys are random.


> As for classes, that depends on the version of Seaside you want to use.

I'm working with Seaside in VW, let me know if you need any further help
with that. Seaside in VW isn't as updated as in other platforms.

-- 
Esteban A. Maringolo

More information about the seaside-dev mailing list