We use the tapestry-csrf-protection module to protect our application against CSRF attacks. To increase security awareness in our team I want to showcase, that without such a protection our application would in fact be vulnerable to this kind of attack.
The idea is to have a prepared HTML page, which triggers a POST request in an iframe to simulate a form submit (which will work as long as a user is logged in to the application in the same browser). This worked fine as long as we refreshed the page on the submit. Now it's an ajax call and the "attack" fails with a HTTP 500: Page must be specified before initializing for partial page render. Is there an attack vector to make it work anyway? I could of course make a demo to demonstrate other kind of CSRF attacks against a sample Tapestry application, the effect would not be the same as showing, that the real application (without counter measures) is vulnerable. Follow-up question: Are there any plans on integrating a built-in CSRF protection into Tapestry in a future version?
