Re: XSS in wicket. Wicket fault or my fault?
Hi, On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado gagui...@aguilardelgado.com wrote: Hi there, I'm building an application for a client and my security advisor told me about a XSS attack that can be performed on the site. When user logs-in I welcome they by Saying Hello user. div class=thumbnail p wicket:id=message Hello ${realName}. How do you substitute the value of ${realName} ? Wicket doesn't support such placeholders. The Wicket syntax would be: Hello span wicket:id=realName/span. Together with: page.add(new Label(realName, Some Name); Welcome to the Synapse web. /p /div As you can see I use I18N so this is not the real text that will show up, but's similar. I used to think that wicket validated output before building web but the white hat hacked it by just putting a fake name into the database. Too easy for me... The content of realName is: '';!--SCRIPTalert('XSS')/SCRIPT={()} So I ended with: Hellob'';!--scriptalert('XSS')/script=amp;{()} In the web page. And the script executed on login. I was thinking about baking a method into my DAO classes to validate everything that goes to the database. But it should be a better solution. Can you point me to right one? Best regards,
Re: XSS in wicket. Wicket fault or my fault?
It looks like an EL expression but it's not wicket-el because it escapes output the same way wicket does... speaking of I must get off my butt and work out how to import it into wicketstuff... I've made all the changes that wicket 6.13 enabled. On 30/01/14 19:03, Martin Grigorov wrote: Hi, On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado gagui...@aguilardelgado.com wrote: Hi there, I'm building an application for a client and my security advisor told me about a XSS attack that can be performed on the site. When user logs-in I welcome they by Saying Hello user. div class=thumbnail p wicket:id=message Hello ${realName}. How do you substitute the value of ${realName} ? Wicket doesn't support such placeholders. The Wicket syntax would be: Hello span wicket:id=realName/span. Together with: page.add(new Label(realName, Some Name); Welcome to the Synapse web. /p /div As you can see I use I18N so this is not the real text that will show up, but's similar. I used to think that wicket validated output before building web but the white hat hacked it by just putting a fake name into the database. Too easy for me... The content of realName is: '';!--SCRIPTalert('XSS')/SCRIPT={()} So I ended with: Hellob'';!--scriptalert('XSS')/script=amp;{()} In the web page. And the script executed on login. I was thinking about baking a method into my DAO classes to validate everything that goes to the database. But it should be a better solution. Can you point me to right one? Best regards, - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: XSS in wicket. Wicket fault or my fault?
On Thu, Jan 30, 2014 at 10:26 AM, Steve shadders@gmail.com wrote: It looks like an EL expression but it's not wicket-el because it escapes output the same way wicket does... speaking of I must get off my butt and work out how to import it into wicketstuff... I've made all the changes that wicket 6.13 enabled. +1 ping me if you need help On 30/01/14 19:03, Martin Grigorov wrote: Hi, On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado gagui...@aguilardelgado.com wrote: Hi there, I'm building an application for a client and my security advisor told me about a XSS attack that can be performed on the site. When user logs-in I welcome they by Saying Hello user. div class=thumbnail p wicket:id=message Hello ${realName}. How do you substitute the value of ${realName} ? Wicket doesn't support such placeholders. The Wicket syntax would be: Hello span wicket:id=realName/span. Together with: page.add(new Label(realName, Some Name); Welcome to the Synapse web. /p /div As you can see I use I18N so this is not the real text that will show up, but's similar. I used to think that wicket validated output before building web but the white hat hacked it by just putting a fake name into the database. Too easy for me... The content of realName is: '';!--SCRIPTalert('XSS')/SCRIPT={()} So I ended with: Hellob'';!--scriptalert('XSS')/script=amp;{()} In the web page. And the script executed on login. I was thinking about baking a method into my DAO classes to validate everything that goes to the database. But it should be a better solution. Can you point me to right one? Best regards, - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: XSS in wicket. Wicket fault or my fault?
Hi I will take a look. maybe I did it to allow html rendering on label. Will tell you. Thank you a lot for references. El 29/01/14 21:29, Paul Bors escribió: No need, Wicket escapes your model objects, see Component#setEscapeModelStrings(true) for when HTML should be escaped and thus the browser won't execute it as HTML or JS. http://ci.apache.org/projects/wicket/apidocs/6.x/org/apache/wicket/Component.html#setEscapeModelStrings(boolean) That is on by default, so you should switch to using a wicket model for your label. See the bottom section 11.1 What is a model? of the wicket free guide at: http://wicket.apache.org/guide/guide/modelsforms.html#modelsforms_1 Also, older Wicket in Action: http://www.javaranch.com/journal/2008/10/using-wicket-labels-and-links.html On Wed, Jan 29, 2014 at 12:26 PM, Gonzalo Aguilar Delgado gagui...@aguilardelgado.com wrote: Hi there, I'm building an application for a client and my security advisor told me about a XSS attack that can be performed on the site. When user logs-in I welcome they by Saying Hello user. div class=thumbnail p wicket:id=message Hello ${realName}. Welcome to the Synapse web. /p /div As you can see I use I18N so this is not the real text that will show up, but's similar. I used to think that wicket validated output before building web but the white hat hacked it by just putting a fake name into the database. Too easy for me... The content of realName is: '';!--SCRIPTalert('XSS')/SCRIPT={()} So I ended with: Hellob'';!--scriptalert('XSS')/script=amp;{()} In the web page. And the script executed on login. I was thinking about baking a method into my DAO classes to validate everything that goes to the database. But it should be a better solution. Can you point me to right one? Best regards, - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: XSS in wicket. Wicket fault or my fault?
Hi Martin, This is how I've done it. label = new Label(message, getString(main.message, new ModelWebUser(authSession.getUser(; label.setOutputMarkupId(true); And in the MainTmsPage.properties I have: main.message=Hello b${realName}/b.br Welcome to the Technoactivity Payment Solutions main page. And it worked! El 30/01/14 10:03, Martin Grigorov escribió: Hi, On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado gagui...@aguilardelgado.com wrote: Hi there, I'm building an application for a client and my security advisor told me about a XSS attack that can be performed on the site. When user logs-in I welcome they by Saying Hello user. div class=thumbnail p wicket:id=message Hello ${realName}. How do you substitute the value of ${realName} ? Wicket doesn't support such placeholders. The Wicket syntax would be: Hello span wicket:id=realName/span. Together with: page.add(new Label(realName, Some Name); Welcome to the Synapse web. /p /div As you can see I use I18N so this is not the real text that will show up, but's similar. I used to think that wicket validated output before building web but the white hat hacked it by just putting a fake name into the database. Too easy for me... The content of realName is: '';!--SCRIPTalert('XSS')/SCRIPT={()} So I ended with: Hellob'';!--scriptalert('XSS')/script=amp;{()} In the web page. And the script executed on login. I was thinking about baking a method into my DAO classes to validate everything that goes to the database. But it should be a better solution. Can you point me to right one? Best regards, - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: XSS in wicket. Wicket fault or my fault?
Hi Paul, you were right!!! I did label.setEscapeModelStrings(false); in code. So I can show b bold text... That was my fault! Best regards, El 29/01/14 21:29, Paul Bors escribió: No need, Wicket escapes your model objects, see Component#setEscapeModelStrings(true) for when HTML should be escaped and thus the browser won't execute it as HTML or JS. http://ci.apache.org/projects/wicket/apidocs/6.x/org/apache/wicket/Component.html#setEscapeModelStrings(boolean) That is on by default, so you should switch to using a wicket model for your label. See the bottom section 11.1 What is a model? of the wicket free guide at: http://wicket.apache.org/guide/guide/modelsforms.html#modelsforms_1 Also, older Wicket in Action: http://www.javaranch.com/journal/2008/10/using-wicket-labels-and-links.html On Wed, Jan 29, 2014 at 12:26 PM, Gonzalo Aguilar Delgado gagui...@aguilardelgado.com wrote: Hi there, I'm building an application for a client and my security advisor told me about a XSS attack that can be performed on the site. When user logs-in I welcome they by Saying Hello user. div class=thumbnail p wicket:id=message Hello ${realName}. Welcome to the Synapse web. /p /div As you can see I use I18N so this is not the real text that will show up, but's similar. I used to think that wicket validated output before building web but the white hat hacked it by just putting a fake name into the database. Too easy for me... The content of realName is: '';!--SCRIPTalert('XSS')/SCRIPT={()} So I ended with: Hellob'';!--scriptalert('XSS')/script=amp;{()} In the web page. And the script executed on login. I was thinking about baking a method into my DAO classes to validate everything that goes to the database. But it should be a better solution. Can you point me to right one? Best regards, - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: XSS in wicket. Wicket fault or my fault?
Hi! You can also replace your Label's model with a StringResourceModel. See http://ci.apache.org/projects/wicket/apidocs/6.x/org/apache/wicket/model/StringResourceModel.html Met vriendelijke groet, Kind regards, Bas Gooren schreef Gonzalo Aguilar Delgado op 30-1-2014 11:17: Hi Martin, This is how I've done it. label = new Label(message, getString(main.message, new ModelWebUser(authSession.getUser(; label.setOutputMarkupId(true); And in the MainTmsPage.properties I have: main.message=Hello b${realName}/b.br Welcome to the Technoactivity Payment Solutions main page. And it worked! El 30/01/14 10:03, Martin Grigorov escribió: Hi, On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado gagui...@aguilardelgado.com wrote: Hi there, I'm building an application for a client and my security advisor told me about a XSS attack that can be performed on the site. When user logs-in I welcome they by Saying Hello user. div class=thumbnail p wicket:id=message Hello ${realName}. How do you substitute the value of ${realName} ? Wicket doesn't support such placeholders. The Wicket syntax would be: Hello span wicket:id=realName/span. Together with: page.add(new Label(realName, Some Name); Welcome to the Synapse web. /p /div As you can see I use I18N so this is not the real text that will show up, but's similar. I used to think that wicket validated output before building web but the white hat hacked it by just putting a fake name into the database. Too easy for me... The content of realName is: '';!--SCRIPTalert('XSS')/SCRIPT={()} So I ended with: Hellob'';!--scriptalert('XSS')/script=amp;{()} In the web page. And the script executed on login. I was thinking about baking a method into my DAO classes to validate everything that goes to the database. But it should be a better solution. Can you point me to right one? Best regards, - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: XSS in wicket. Wicket fault or my fault?
Hi Bas, Thank you for the reference, I forgot this one. I updated the code. Thank you for reference. It's better with StringResourceModel... :D El 30/01/14 11:22, Bas Gooren escribió: Hi! You can also replace your Label's model with a StringResourceModel. See http://ci.apache.org/projects/wicket/apidocs/6.x/org/apache/wicket/model/StringResourceModel.html Met vriendelijke groet, Kind regards, Bas Gooren schreef Gonzalo Aguilar Delgado op 30-1-2014 11:17: Hi Martin, This is how I've done it. label = new Label(message, getString(main.message, new ModelWebUser(authSession.getUser(; label.setOutputMarkupId(true); And in the MainTmsPage.properties I have: main.message=Hello b${realName}/b.br Welcome to the Technoactivity Payment Solutions main page. And it worked! El 30/01/14 10:03, Martin Grigorov escribió: Hi, On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado gagui...@aguilardelgado.com wrote: Hi there, I'm building an application for a client and my security advisor told me about a XSS attack that can be performed on the site. When user logs-in I welcome they by Saying Hello user. div class=thumbnail p wicket:id=message Hello ${realName}. How do you substitute the value of ${realName} ? Wicket doesn't support such placeholders. The Wicket syntax would be: Hello span wicket:id=realName/span. Together with: page.add(new Label(realName, Some Name); Welcome to the Synapse web. /p /div As you can see I use I18N so this is not the real text that will show up, but's similar. I used to think that wicket validated output before building web but the white hat hacked it by just putting a fake name into the database. Too easy for me... The content of realName is: '';!--SCRIPTalert('XSS')/SCRIPT={()} So I ended with: Hellob'';!--scriptalert('XSS')/script=amp;{()} In the web page. And the script executed on login. I was thinking about baking a method into my DAO classes to validate everything that goes to the database. But it should be a better solution. Can you point me to right one? Best regards, - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: XSS in wicket. Wicket fault or my fault?
No need, Wicket escapes your model objects, see Component#setEscapeModelStrings(true) for when HTML should be escaped and thus the browser won't execute it as HTML or JS. http://ci.apache.org/projects/wicket/apidocs/6.x/org/apache/wicket/Component.html#setEscapeModelStrings(boolean) That is on by default, so you should switch to using a wicket model for your label. See the bottom section 11.1 What is a model? of the wicket free guide at: http://wicket.apache.org/guide/guide/modelsforms.html#modelsforms_1 Also, older Wicket in Action: http://www.javaranch.com/journal/2008/10/using-wicket-labels-and-links.html On Wed, Jan 29, 2014 at 12:26 PM, Gonzalo Aguilar Delgado gagui...@aguilardelgado.com wrote: Hi there, I'm building an application for a client and my security advisor told me about a XSS attack that can be performed on the site. When user logs-in I welcome they by Saying Hello user. div class=thumbnail p wicket:id=message Hello ${realName}. Welcome to the Synapse web. /p /div As you can see I use I18N so this is not the real text that will show up, but's similar. I used to think that wicket validated output before building web but the white hat hacked it by just putting a fake name into the database. Too easy for me... The content of realName is: '';!--SCRIPTalert('XSS')/SCRIPT={()} So I ended with: Hellob'';!--scriptalert('XSS')/script=amp;{()} In the web page. And the script executed on login. I was thinking about baking a method into my DAO classes to validate everything that goes to the database. But it should be a better solution. Can you point me to right one? Best regards,