[Seaside-dev] Seaside and CSRF attacks
Max Leske
maxleske at gmail.com
Wed Aug 22 05:44:56 UTC 2018
On 21 Aug 2018, at 22:14, tim Rowledge wrote:
> Thanks Max,
>
>> On 21-08-2018, at 12:44 PM, Max Leske <maxleske at gmail.com> wrote:
>>
>> Hi Tim,
>>
>> CSRF usually requires a URL that can trigger an action. In Seaside,
>> if you use continuations, the URL will contain a continuation key
>> that specifies the state of the session (the session will usually be
>> identified by a cookie). Every callback (action) has a key.
>> Since the continuation key is a random string bound to the session
>> (multiple session could use the same continuation key without
>> problems) an attacker would have to guess the continuation key in
>> order to perform a CSRF. In addition callbacks are usually state
>> dependent, i.e. specific to a page and the state to that page, so
>> it's usually not possible to trigger a callback outside of this
>> context.
>
> That's a good explanation of what I very vaguely remembered from deep
> history. It would be nice to add it to the seaside security page
> section on CSRF, rather than the current rather short entry.
Yes, we should probably add something. I'll open an issue on github so
we don't forget.
>
>>
>> Of course, you can use Seaside in a way that totally makes CSRF
>> trivial ;)
>
> As the old aphorism goes, some people can write bad FORTRAN in any
> language...
>
>>
>> As for classes, that depends on the version of Seaside you want to
>> use.
>
> Its a 2013 package for VW; can't find any obvious version numbering.
> Whatever Cincom include with VW8.3.
>
>
> tim
> --
> tim Rowledge; tim at rowledge.org; http://www.rowledge.org/tim
> Useful random insult:- Thinks everyone else is entitled to his
> opinion, like it or not.
>
>
> _______________________________________________
> seaside-dev mailing list
> seaside-dev at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev
More information about the seaside-dev
mailing list