By setting the crossDomainSessionSecurity=
false value in the init-param section of the web.xml file, the CSRF and JavaScript
hijacking protections are removed. Luckily for an attacker, it is trivial to determine
whether crossDomainSessionSecurity has been set to false and the application is
vulnerable to CSRF. The attacker accomplishes this by using the web application and
viewing HTTP POST requests sent to the application. If the POST request contains the
JSESSIONID cookie value in the body of the request as well as the header, then the
crossDomainSessionSecurity protections are enabled; if not, the application may
be vulnerable.
For more information on CSRF, refer to Chapter 4 and Jesse Burns??™s whitepaper at www.isecpartners
.com/files/XSRF_Paper.pdf.
GOOGLE WEB TOOLKIT
Google Web Toolkit (http://code.google.com/webtoolkit) is an AJAX framework
provided by Google to allow Java developers to create AJAX applications. This is
achieved by allowing developers to write code in Java and then use the GWT to turn the
application into plain HTML and JavaScript files, which can be hosted on any traditional
web server such as Apache or Microsoft IIS. Since GWT does not actually function as a
proxy between the client and the web application, it does not appear to be a proxy-style
framework at first.
Pages:
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328