

Apache Wicket's encrypted URLs don't protect from CSRF - samuirai
https://www.smrrd.de/apache-wickets-encrypted-urls-dont-protect-from-csrf.html

======
zaroth
It's somewhat bizarre to obfuscate the URL thinking it will stop CSRF, if
there's no anti-forgery token embedded within.

As Fabian says, just do the CSRF with the encrypted URL if it's not stateful.
When Apache Wicket does add state, apparently it's just a small incrementing
integer. Like an 8 bit anti-forgery token.

But all of this seems like so much over-engineering when one line of
Javascript to add a non-standard request header, and one line on the server to
fail if it's not present -- that's all you need?!

What I'm wondering, if you add an X- header with no actual token, do we agree
that's enough these days? I remember an old Flash version which allowed adding
X-headers outside the SOP, is that the only reason it's not considered fully
safe? I think if you're running outdated Flash your machine is completely
owned anyway and Anti-CSRF won't make a difference.

[1] - [http://security.stackexchange.com/questions/23371/csrf-
prote...](http://security.stackexchange.com/questions/23371/csrf-protection-
with-custom-headers-and-without-validating-token)

~~~
steakejjs
You'll notice a lot of people just have X-CSRF.* header (Stripe for example if
you want to check one out). In my opinion you might as well just go the full 9
and actually implement an anti-CSRF solution instead of a quick hack.

x-Requested-By works but your webapp can be built in a way that things like
insecure redirects fool you app.

The best solution is just to use tokens.

------
LukeB_UK
Wicket doesn't actually say it prevents CSRF, it says:

 _Sometimes URLs are a double–edged sword for our site because they can expose
too many details about the internal structure of our web application and
malicious users could exploit them to perform a cross-site request forgery._

To me, all this means is that it hides the url parameters so that the users
can't find as much about the workings of your app. To simply assume that this
is a means for protecting your app entirely from CSRF would be stupid.

------
LukeB_UK
404 from the main site so here is the Google cached version:
[http://webcache.googleusercontent.com/search?q=cache:https%3...](http://webcache.googleusercontent.com/search?q=cache:https%3A//www.smrrd.de/apache-
wickets-encrypted-urls-dont-protect-from-csrf.html)

------
ExpiredLink
404 Not Found

~~~
antimora
Is this a bot account? I am also getting a 404

~~~
valevk
Heh, no I think it's coincidence. Check the accounts' comments.

