Re: XSS in wicket. Wicket fault or my fault?
Hi,
On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado
gagui...@aguilardelgado.com wrote:
Hi there,
I'm building an application for a client and my security advisor told me
about a XSS attack that can be performed on the site.
When user logs-in I welcome they by Saying Hello user.
div class=thumbnail
p wicket:id=message
Hello ${realName}.
How do you substitute the value of ${realName} ?
Wicket doesn't support such placeholders.
The Wicket syntax would be: Hello span wicket:id=realName/span.
Together with: page.add(new Label(realName, Some Name);
Welcome to the Synapse web.
/p
/div
As you can see I use I18N so this is not the real text that will show up,
but's similar.
I used to think that wicket validated output before building web but the
white hat hacked it by just putting a fake name into the database. Too easy
for me...
The content of realName is:
'';!--SCRIPTalert('XSS')/SCRIPT={()}
So I ended with:
Hellob'';!--scriptalert('XSS')/script=amp;{()}
In the web page. And the script executed on login.
I was thinking about baking a method into my DAO classes to validate
everything that goes to the database. But it should be a better solution.
Can you point me to right one?
Best regards,
Re: XSS in wicket. Wicket fault or my fault?
It looks like an EL expression but it's not wicket-el because it escapes
output the same way wicket does...
speaking of I must get off my butt and work out how to import it into
wicketstuff... I've made all the changes that wicket 6.13 enabled.
On 30/01/14 19:03, Martin Grigorov wrote:
Hi,
On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado
gagui...@aguilardelgado.com wrote:
Hi there,
I'm building an application for a client and my security advisor told me
about a XSS attack that can be performed on the site.
When user logs-in I welcome they by Saying Hello user.
div class=thumbnail
p wicket:id=message
Hello ${realName}.
How do you substitute the value of ${realName} ?
Wicket doesn't support such placeholders.
The Wicket syntax would be: Hello span wicket:id=realName/span.
Together with: page.add(new Label(realName, Some Name);
Welcome to the Synapse web.
/p
/div
As you can see I use I18N so this is not the real text that will show up,
but's similar.
I used to think that wicket validated output before building web but the
white hat hacked it by just putting a fake name into the database. Too easy
for me...
The content of realName is:
'';!--SCRIPTalert('XSS')/SCRIPT={()}
So I ended with:
Hellob'';!--scriptalert('XSS')/script=amp;{()}
In the web page. And the script executed on login.
I was thinking about baking a method into my DAO classes to validate
everything that goes to the database. But it should be a better solution.
Can you point me to right one?
Best regards,
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: XSS in wicket. Wicket fault or my fault?
On Thu, Jan 30, 2014 at 10:26 AM, Steve shadders@gmail.com wrote:
It looks like an EL expression but it's not wicket-el because it escapes
output the same way wicket does...
speaking of I must get off my butt and work out how to import it into
wicketstuff... I've made all the changes that wicket 6.13 enabled.
+1
ping me if you need help
On 30/01/14 19:03, Martin Grigorov wrote:
Hi,
On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado
gagui...@aguilardelgado.com wrote:
Hi there,
I'm building an application for a client and my security advisor told me
about a XSS attack that can be performed on the site.
When user logs-in I welcome they by Saying Hello user.
div class=thumbnail
p wicket:id=message
Hello ${realName}.
How do you substitute the value of ${realName} ?
Wicket doesn't support such placeholders.
The Wicket syntax would be: Hello span wicket:id=realName/span.
Together with: page.add(new Label(realName, Some Name);
Welcome to the Synapse web.
/p
/div
As you can see I use I18N so this is not the real text that will show
up,
but's similar.
I used to think that wicket validated output before building web but the
white hat hacked it by just putting a fake name into the database. Too
easy
for me...
The content of realName is:
'';!--SCRIPTalert('XSS')/SCRIPT={()}
So I ended with:
Hellob'';!--scriptalert('XSS')/script=amp;{()}
In the web page. And the script executed on login.
I was thinking about baking a method into my DAO classes to validate
everything that goes to the database. But it should be a better
solution.
Can you point me to right one?
Best regards,
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: XSS in wicket. Wicket fault or my fault?
Hi I will take a look.
maybe I did it to allow html rendering on label. Will tell you.
Thank you a lot for references.
El 29/01/14 21:29, Paul Bors escribió:
No need, Wicket escapes your model objects, see
Component#setEscapeModelStrings(true) for when HTML should be escaped and
thus the browser won't execute it as HTML or JS.
http://ci.apache.org/projects/wicket/apidocs/6.x/org/apache/wicket/Component.html#setEscapeModelStrings(boolean)
That is on by default, so you should switch to using a wicket model for
your label.
See the bottom section 11.1 What is a model? of the wicket free guide at:
http://wicket.apache.org/guide/guide/modelsforms.html#modelsforms_1
Also, older Wicket in Action:
http://www.javaranch.com/journal/2008/10/using-wicket-labels-and-links.html
On Wed, Jan 29, 2014 at 12:26 PM, Gonzalo Aguilar Delgado
gagui...@aguilardelgado.com wrote:
Hi there,
I'm building an application for a client and my security advisor told me
about a XSS attack that can be performed on the site.
When user logs-in I welcome they by Saying Hello user.
div class=thumbnail
p wicket:id=message
Hello ${realName}.
Welcome to the Synapse web.
/p
/div
As you can see I use I18N so this is not the real text that will show up,
but's similar.
I used to think that wicket validated output before building web but the
white hat hacked it by just putting a fake name into the database. Too easy
for me...
The content of realName is:
'';!--SCRIPTalert('XSS')/SCRIPT={()}
So I ended with:
Hellob'';!--scriptalert('XSS')/script=amp;{()}
In the web page. And the script executed on login.
I was thinking about baking a method into my DAO classes to validate
everything that goes to the database. But it should be a better solution.
Can you point me to right one?
Best regards,
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: XSS in wicket. Wicket fault or my fault?
Hi Martin,
This is how I've done it.
label = new Label(message, getString(main.message, new
ModelWebUser(authSession.getUser(;
label.setOutputMarkupId(true);
And in the MainTmsPage.properties I have:
main.message=Hello b${realName}/b.br Welcome to the Technoactivity
Payment Solutions main page.
And it worked!
El 30/01/14 10:03, Martin Grigorov escribió:
Hi,
On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado
gagui...@aguilardelgado.com wrote:
Hi there,
I'm building an application for a client and my security advisor told me
about a XSS attack that can be performed on the site.
When user logs-in I welcome they by Saying Hello user.
div class=thumbnail
p wicket:id=message
Hello ${realName}.
How do you substitute the value of ${realName} ?
Wicket doesn't support such placeholders.
The Wicket syntax would be: Hello span wicket:id=realName/span.
Together with: page.add(new Label(realName, Some Name);
Welcome to the Synapse web.
/p
/div
As you can see I use I18N so this is not the real text that will show up,
but's similar.
I used to think that wicket validated output before building web but the
white hat hacked it by just putting a fake name into the database. Too easy
for me...
The content of realName is:
'';!--SCRIPTalert('XSS')/SCRIPT={()}
So I ended with:
Hellob'';!--scriptalert('XSS')/script=amp;{()}
In the web page. And the script executed on login.
I was thinking about baking a method into my DAO classes to validate
everything that goes to the database. But it should be a better solution.
Can you point me to right one?
Best regards,
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: XSS in wicket. Wicket fault or my fault?
Hi Paul,
you were right!!!
I did
label.setEscapeModelStrings(false);
in code. So I can show b bold text...
That was my fault!
Best regards,
El 29/01/14 21:29, Paul Bors escribió:
No need, Wicket escapes your model objects, see
Component#setEscapeModelStrings(true) for when HTML should be escaped and
thus the browser won't execute it as HTML or JS.
http://ci.apache.org/projects/wicket/apidocs/6.x/org/apache/wicket/Component.html#setEscapeModelStrings(boolean)
That is on by default, so you should switch to using a wicket model for
your label.
See the bottom section 11.1 What is a model? of the wicket free guide at:
http://wicket.apache.org/guide/guide/modelsforms.html#modelsforms_1
Also, older Wicket in Action:
http://www.javaranch.com/journal/2008/10/using-wicket-labels-and-links.html
On Wed, Jan 29, 2014 at 12:26 PM, Gonzalo Aguilar Delgado
gagui...@aguilardelgado.com wrote:
Hi there,
I'm building an application for a client and my security advisor told me
about a XSS attack that can be performed on the site.
When user logs-in I welcome they by Saying Hello user.
div class=thumbnail
p wicket:id=message
Hello ${realName}.
Welcome to the Synapse web.
/p
/div
As you can see I use I18N so this is not the real text that will show up,
but's similar.
I used to think that wicket validated output before building web but the
white hat hacked it by just putting a fake name into the database. Too easy
for me...
The content of realName is:
'';!--SCRIPTalert('XSS')/SCRIPT={()}
So I ended with:
Hellob'';!--scriptalert('XSS')/script=amp;{()}
In the web page. And the script executed on login.
I was thinking about baking a method into my DAO classes to validate
everything that goes to the database. But it should be a better solution.
Can you point me to right one?
Best regards,
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: XSS in wicket. Wicket fault or my fault?
Hi!
You can also replace your Label's model with a StringResourceModel.
See
http://ci.apache.org/projects/wicket/apidocs/6.x/org/apache/wicket/model/StringResourceModel.html
Met vriendelijke groet,
Kind regards,
Bas Gooren
schreef Gonzalo Aguilar Delgado op 30-1-2014 11:17:
Hi Martin,
This is how I've done it.
label = new Label(message, getString(main.message, new
ModelWebUser(authSession.getUser(;
label.setOutputMarkupId(true);
And in the MainTmsPage.properties I have:
main.message=Hello b${realName}/b.br Welcome to the
Technoactivity Payment Solutions main page.
And it worked!
El 30/01/14 10:03, Martin Grigorov escribió:
Hi,
On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado
gagui...@aguilardelgado.com wrote:
Hi there,
I'm building an application for a client and my security advisor
told me
about a XSS attack that can be performed on the site.
When user logs-in I welcome they by Saying Hello user.
div class=thumbnail
p wicket:id=message
Hello ${realName}.
How do you substitute the value of ${realName} ?
Wicket doesn't support such placeholders.
The Wicket syntax would be: Hello span wicket:id=realName/span.
Together with: page.add(new Label(realName, Some Name);
Welcome to the Synapse web.
/p
/div
As you can see I use I18N so this is not the real text that will
show up,
but's similar.
I used to think that wicket validated output before building web but
the
white hat hacked it by just putting a fake name into the database.
Too easy
for me...
The content of realName is:
'';!--SCRIPTalert('XSS')/SCRIPT={()}
So I ended with:
Hellob'';!--scriptalert('XSS')/script=amp;{()}
In the web page. And the script executed on login.
I was thinking about baking a method into my DAO classes to validate
everything that goes to the database. But it should be a better
solution.
Can you point me to right one?
Best regards,
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: XSS in wicket. Wicket fault or my fault?
Hi Bas,
Thank you for the reference, I forgot this one. I updated the code.
Thank you for reference. It's better with StringResourceModel... :D
El 30/01/14 11:22, Bas Gooren escribió:
Hi!
You can also replace your Label's model with a StringResourceModel.
See
http://ci.apache.org/projects/wicket/apidocs/6.x/org/apache/wicket/model/StringResourceModel.html
Met vriendelijke groet,
Kind regards,
Bas Gooren
schreef Gonzalo Aguilar Delgado op 30-1-2014 11:17:
Hi Martin,
This is how I've done it.
label = new Label(message, getString(main.message, new
ModelWebUser(authSession.getUser(;
label.setOutputMarkupId(true);
And in the MainTmsPage.properties I have:
main.message=Hello b${realName}/b.br Welcome to the
Technoactivity Payment Solutions main page.
And it worked!
El 30/01/14 10:03, Martin Grigorov escribió:
Hi,
On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado
gagui...@aguilardelgado.com wrote:
Hi there,
I'm building an application for a client and my security advisor
told me
about a XSS attack that can be performed on the site.
When user logs-in I welcome they by Saying Hello user.
div class=thumbnail
p wicket:id=message
Hello ${realName}.
How do you substitute the value of ${realName} ?
Wicket doesn't support such placeholders.
The Wicket syntax would be: Hello span wicket:id=realName/span.
Together with: page.add(new Label(realName, Some Name);
Welcome to the Synapse web.
/p
/div
As you can see I use I18N so this is not the real text that will
show up,
but's similar.
I used to think that wicket validated output before building web
but the
white hat hacked it by just putting a fake name into the database.
Too easy
for me...
The content of realName is:
'';!--SCRIPTalert('XSS')/SCRIPT={()}
So I ended with:
Hellob'';!--scriptalert('XSS')/script=amp;{()}
In the web page. And the script executed on login.
I was thinking about baking a method into my DAO classes to validate
everything that goes to the database. But it should be a better
solution.
Can you point me to right one?
Best regards,
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: XSS in wicket. Wicket fault or my fault?
No need, Wicket escapes your model objects, see
Component#setEscapeModelStrings(true) for when HTML should be escaped and
thus the browser won't execute it as HTML or JS.
http://ci.apache.org/projects/wicket/apidocs/6.x/org/apache/wicket/Component.html#setEscapeModelStrings(boolean)
That is on by default, so you should switch to using a wicket model for
your label.
See the bottom section 11.1 What is a model? of the wicket free guide at:
http://wicket.apache.org/guide/guide/modelsforms.html#modelsforms_1
Also, older Wicket in Action:
http://www.javaranch.com/journal/2008/10/using-wicket-labels-and-links.html
On Wed, Jan 29, 2014 at 12:26 PM, Gonzalo Aguilar Delgado
gagui...@aguilardelgado.com wrote:
Hi there,
I'm building an application for a client and my security advisor told me
about a XSS attack that can be performed on the site.
When user logs-in I welcome they by Saying Hello user.
div class=thumbnail
p wicket:id=message
Hello ${realName}.
Welcome to the Synapse web.
/p
/div
As you can see I use I18N so this is not the real text that will show up,
but's similar.
I used to think that wicket validated output before building web but the
white hat hacked it by just putting a fake name into the database. Too easy
for me...
The content of realName is:
'';!--SCRIPTalert('XSS')/SCRIPT={()}
So I ended with:
Hellob'';!--scriptalert('XSS')/script=amp;{()}
In the web page. And the script executed on login.
I was thinking about baking a method into my DAO classes to validate
everything that goes to the database. But it should be a better solution.
Can you point me to right one?
Best regards,
