Uploaded image for project: 'Stripes'
  1. STS-918

All parameters encrypted/decrypted with the same secret

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Not a Bug
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Sprint:

      Description

      Hi,
      I have been looking at the stripes framework and specifically on CryptoUtil class usage. It looks to me that all the parameters as encrypted/decrypted with the same secret, such as "s:password" repopulation, "_fp", "_sourcePage" internal parameters. Depending on implementation details on different sites, this makes the sites vulnerable to replay attack, such as copying encrypted password to "_fp", copying a known redirect resolution page to "_sourcePage" and etc.
      It would be great if the framework can use different secrets derived from the configured one and use with different parameters, fields and other different intentions

      -Xiaoyong

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              xiaoyongwu Xiaoyong Wu
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: