[Seaside-dev] Seaside and CSRF attacks
tim Rowledge
tim at rowledge.org
Tue Aug 21 20:14:56 UTC 2018
Thanks Max,
> On 21-08-2018, at 12:44 PM, Max Leske <maxleske at gmail.com> wrote:
>
> Hi Tim,
>
> CSRF usually requires a URL that can trigger an action. In Seaside, if you use continuations, the URL will contain a continuation key that specifies the state of the session (the session will usually be identified by a cookie). Every callback (action) has a key.
> Since the continuation key is a random string bound to the session (multiple session could use the same continuation key without problems) an attacker would have to guess the continuation key in order to perform a CSRF. In addition callbacks are usually state dependent, i.e. specific to a page and the state to that page, so it's usually not possible to trigger a callback outside of this context.
That's a good explanation of what I very vaguely remembered from deep history. It would be nice to add it to the seaside security page section on CSRF, rather than the current rather short entry.
>
> Of course, you can use Seaside in a way that totally makes CSRF trivial ;)
As the old aphorism goes, some people can write bad FORTRAN in any language...
>
> As for classes, that depends on the version of Seaside you want to use.
Its a 2013 package for VW; can't find any obvious version numbering. Whatever Cincom include with VW8.3.
tim
--
tim Rowledge; tim at rowledge.org; http://www.rowledge.org/tim
Useful random insult:- Thinks everyone else is entitled to his opinion, like it or not.
More information about the seaside-dev
mailing list