-
Notifications
You must be signed in to change notification settings - Fork 71
Security Features
Unlike some low level frameworks Seaside offers built in protection against many common web application vulnerabilities.
This is how Seaside protects you against common attacks against your web application.
Session fixation is not possible because client supplied session ids are ignored when no matching session is found. Review the implementors of #noHandlerFoundForKey:in:context:.
Further information:
The Seaside templating engine "the render canvas" escapes all output by default. It therefore adopts a safe by default policy. Special effort has to be taken to render values without escaping. Such places can easily be found and audited by looking at all the senders of #html:.
Further information:
- https://owasp.org/www-community/attacks/xss/
- https://en.wikipedia.org/wiki/Cross-site_scripting
- https://wonko.com/post/html-escaping
Seaside uses a capability based security model where only handles to actions are handed to the client. These handles are bound to a state snapshot (continuation). The state snapshots are identified by a random number which is session specific and acts like a CSRF token.
It is important that this only applies to "traditional" usage of Seaside with sessions and components, this does not apply to Seaside-REST where Seaside provides no built-in protection against CSRF.
Further information:
Seaside prevents response splitting does by not allowing CR or LF values in HTTP headers.
Further information:
- https://owasp.org/www-community/attacks/HTTP_Response_Splitting
- https://en.wikipedia.org/wiki/HTTP_response_splitting
- https://nealpoole.com/blog/2011/01/http-response-splitting-on-reddit-com/
Since Seaside is not executing files or templates it is not vulnerable to malicious file execution.
Further information:
In addition to the protections against the attacks above Seaside offers the following security related features.
Seaside uses a capability based security model where only handles to actions are handed to the client. These handles are bound to a state snapshot (continuation).
Seaside offers the built in WAStrictTransportSecurityFilter that adds a Strict-Transport-Security and redirects to the HTTPS version of the current URL.
Further information:
Seaside offers limited protection against DoS-attacks by offering the option to limit the amount of session.
In general Seaside has not been throughly reviewed to make sure it is not vulnerable to:
- hash collisions
- request headers (body size)
Further information:
- https://en.wikipedia.org/wiki/Denial-of-service_attack
- https://owasp.org/www-community/attacks/Denial_of_Service
Seaside does not interpret or execute data sent by the client. However some Smalltalk dialects have what is essentially an implementation of eval() in the form of Object class >> #readFrom:. You have to review that you never pass user input to this method either directly or indirectly, eg. in the form of Boolean class >> #readFrom:
Changelogs
- (newer changelogs, see https://github.com/SeasideSt/Seaside/releases)
- 3.4.0
- 3.3.0
- 3.2.4
- 3.2.2
- 3.2.1
- 3.2.0
- 3.1.3
- 3.1.2
- 3.1.1
- 3.1.0
- 3.0.11
- 3.0.9
- 3.0.8
- 3.0.7
- 3.0.6
- 3.0.5
- 3.0.4
- 3.0.3
- 3.0.2
- 2.8
- 2.7
- Past Releases
Development
Documentation
- Configuration and Preferences
- Embedding Subcomponents
- Maintaining State
- Generating HTML
- CSS and Javascript
- Debugging Seaside Applications
- Links, Forms and Callbacks
- Development Tools
- Call and Answer
- Naming URLs
- Security Features
- Securing Seaside Applications
- Seaside-REST
- Add-On Libraries
- Persistence
- Gettext
- FileLibrary
- The Render Tree
- PDF Generation
- Long-Term Issues
- Ajaxification
- Web Components
- Big Issues
Sprints