Apache Wicket is a web application framework for Java and is used by quite a few big sites. During a pentest I had a closer look at the encrypted url feature which supposedly protects from cross-site request forgery. Unfortunately the proposed simple example is inherently flawed for two reasons. First ...