GWT RPC XSRF protection -
after adding gwt rpc xsrf protection should different in rpc calls?
i followed changes mentioned in post(gwt (2.4.0) + xsrf , https://developers.google.com/web-toolkit/doc/latest/devguidesecurityrpcxsrf) , got gwt rpc xsrf work, see rpc calls wrapped in "com.google.gwt.user.client.rpc.xsrftoken", can still intercept request in fiddler , change request me else, thought after protection, won't able this?
i can change getfirsturl in original request in fidder me valid parameter, "getsecondurl"
http://127.0.0.1:8888/myapp/|ac7025ad520a4366b89a555020174220|com.google.gwt.user.client.rpc.xsrftoken/4254043109|ec4ae16148312f61eb4c4da365f2f4b2|com.myapp.service.myservice|getfirsturl
what describe not xsrf, it's mitm. protect against mitm 1 have use https (or sign request, that's impractical, if ever possible, in browsers).
to simplify, xsrf attacker site forging cross-site request (hence name) victim site, , making use of existing cookie (or whatever) authenticate user, , gain access personal data and/or make changes on behalf. mitigate that, server authenticates each request using both user session and token associated session that's part of request payload (cookies automatically added browser don't need know it, tokens have known party making request, , attacker doesn't know valid token).
Comments
Post a Comment