Juniper Systems Network Filters Recently Updated Block Some Wicket URLs
Hi, I work in a user group at a large US university that uses Juniper Networks security software to filter traffic on the borders of their campus network. I administer a wicket web app that has been running just fine for the last 2 years. Last Saturday, certain wicket generated URLs were not being successfully passed through the aforementioned filter. Long story short and one week later, turns out that their was a recent update made to one of the filter signatures that causes this problem, and when the signatures were updated to the campus filter software our problems began. Fortunately the network admins recognized this as a false positive and agreed to disable this signature. I'm posting this message to let folks know that this is an issue. I have posted the info about the error below with an example of a URL that is blocked going from the browser to the web app. == Example url that was being blocked: http://xxx.http://130.126.114.121/cgdashboard/?wicket:interface=:1:pubpan:publishersform:datatable:body:rows:2:cells:1:cell:actionlink::ILinkListener xxx .xxx.xxx//?wicket:interface=:1:pubpan:publishersform:datatable:body:rows:2:cells:1:cell:actionlink::ILinkListenerhttp://130.126.114.121/cgdashboard/?wicket:interface=:1:pubpan:publishersform:datatable:body:rows:2:cells:1:cell:actionlink::ILinkListener :: == Error generated at the filter: The traffic to that host is triggering and IDP error HTTP:XSS:HTML-SCRIPT-IN-URL-VAR which the vendor describes as: Juniper Networks Solutions Products Services Company Partners Support Education Signature Detail Security Intelligence Center Signatures Print Share Short Name HTTP:XSS:HTML-SCRIPT-IN-URL-VAR Severity High Recommended Yes Recommended Action Drop Category HTTP Keywords CSS XSS Cross Site Scripting KB983438 39776 Release Date 2003/12/17 Update Number 1213 Supported Platforms di-5.3+, idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+ HTTP: HTML Script Tag Embedded in URL Variables This signature detects attempts at cross-site scripting attacks. Attackers can create a malicious Web site that includes HTML embedded in the hyperlinks, which can violate site security settings. A victim that accesses these hyperlinks can allow the attacker to view the victim's Web cookies. Web cookies typically contain sensitive information. This technique is also used by some advertisement company to gather information about people, since the extend of the information gathered cannot be controlled, this behavior is considered by default malicious. === Best, Duane
Re: Juniper Systems Network Filters Recently Updated Block Some Wicket URLs
Thanks for your information. I wonder what embedded HTML Script Tag Juniper sees in the given url: http://130.126.114.121/cgdashboard/?wicket:interface=:1:pubpan:publishersform:datatable:body:rows:2:cells:1:cell:actionlink::ILinkListener Sven On 06/14/2013 04:37 PM, Duane Searsmith wrote: Hi, I work in a user group at a large US university that uses Juniper Networks security software to filter traffic on the borders of their campus network. I administer a wicket web app that has been running just fine for the last 2 years. Last Saturday, certain wicket generated URLs were not being successfully passed through the aforementioned filter. Long story short and one week later, turns out that their was a recent update made to one of the filter signatures that causes this problem, and when the signatures were updated to the campus filter software our problems began. Fortunately the network admins recognized this as a false positive and agreed to disable this signature. I'm posting this message to let folks know that this is an issue. I have posted the info about the error below with an example of a URL that is blocked going from the browser to the web app. == Example url that was being blocked: http://xxx.http://130.126.114.121/cgdashboard/?wicket:interface=:1:pubpan:publishersform:datatable:body:rows:2:cells:1:cell:actionlink::ILinkListener xxx .xxx.xxx//?wicket:interface=:1:pubpan:publishersform:datatable:body:rows:2:cells:1:cell:actionlink::ILinkListenerhttp://130.126.114.121/cgdashboard/?wicket:interface=:1:pubpan:publishersform:datatable:body:rows:2:cells:1:cell:actionlink::ILinkListener :: == Error generated at the filter: The traffic to that host is triggering and IDP error HTTP:XSS:HTML-SCRIPT-IN-URL-VAR which the vendor describes as: Juniper Networks Solutions Products Services Company Partners Support Education Signature Detail Security Intelligence Center Signatures Print Share Short Name HTTP:XSS:HTML-SCRIPT-IN-URL-VAR Severity High Recommended Yes Recommended Action Drop Category HTTP Keywords CSS XSS Cross Site Scripting KB983438 39776 Release Date 2003/12/17 Update Number 1213 Supported Platforms di-5.3+, idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+ HTTP: HTML Script Tag Embedded in URL Variables This signature detects attempts at cross-site scripting attacks. Attackers can create a malicious Web site that includes HTML embedded in the hyperlinks, which can violate site security settings. A victim that accesses these hyperlinks can allow the attacker to view the victim's Web cookies. Web cookies typically contain sensitive information. This technique is also used by some advertisement company to gather information about people, since the extend of the information gathered cannot be controlled, this behavior is considered by default malicious. === Best, Duane - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Juniper Systems Network Filters Recently Updated Block Some Wicket URLs
Wild guess: link in query parameter is suspected of injecting malicious link into application's rendered page. On Fri, Jun 14, 2013 at 9:41 AM, Sven Meier s...@meiers.net wrote: Thanks for your information. I wonder what embedded HTML Script Tag Juniper sees in the given url: http://130.126.114.121/**cgdashboard/?wicket:interface=** :1:pubpan:publishersform:**datatable:body:rows:2:cells:1:** cell:actionlink::ILinkListenerhttp://130.126.114.121/cgdashboard/?wicket:interface=:1:pubpan:publishersform:datatable:body:rows:2:cells:1:cell:actionlink::ILinkListener Sven On 06/14/2013 04:37 PM, Duane Searsmith wrote: Hi, I work in a user group at a large US university that uses Juniper Networks security software to filter traffic on the borders of their campus network. I administer a wicket web app that has been running just fine for the last 2 years. Last Saturday, certain wicket generated URLs were not being successfully passed through the aforementioned filter. Long story short and one week later, turns out that their was a recent update made to one of the filter signatures that causes this problem, and when the signatures were updated to the campus filter software our problems began. Fortunately the network admins recognized this as a false positive and agreed to disable this signature. I'm posting this message to let folks know that this is an issue. I have posted the info about the error below with an example of a URL that is blocked going from the browser to the web app. == Example url that was being blocked: http://xxx.http://130.126.**114.121/cgdashboard/?wicket:** interface=:1:pubpan:**publishersform:datatable:body:** rows:2:cells:1:cell:**actionlink::ILinkListenerhttp://130.126.114.121/cgdashboard/?wicket:interface=:1:pubpan:publishersform:datatable:body:rows:2:cells:1:cell:actionlink::ILinkListener xxx .xxx.xxx//?wicket:**interface=:1:pubpan:** publishersform:datatable:body:**rows:2:cells:1:cell:** actionlink::ILinkListenerhttp**://130.126.114.121/** cgdashboard/?wicket:interface=**:1:pubpan:publishersform:** datatable:body:rows:2:cells:1:**cell:actionlink::ILinkListenerhttp://130.126.114.121/cgdashboard/?wicket:interface=:1:pubpan:publishersform:datatable:body:rows:2:cells:1:cell:actionlink::ILinkListener ** :: == Error generated at the filter: The traffic to that host is triggering and IDP error HTTP:XSS:HTML-SCRIPT-IN-URL-**VAR which the vendor describes as: Juniper Networks Solutions Products Services Company Partners Support Education Signature Detail Security Intelligence Center Signatures Print Share Short Name HTTP:XSS:HTML-SCRIPT-IN-URL-**VAR Severity High Recommended Yes Recommended Action Drop Category HTTP Keywords CSS XSS Cross Site Scripting KB983438 39776 Release Date 2003/12/17 Update Number 1213 Supported Platforms di-5.3+, idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+ HTTP: HTML Script Tag Embedded in URL Variables This signature detects attempts at cross-site scripting attacks. Attackers can create a malicious Web site that includes HTML embedded in the hyperlinks, which can violate site security settings. A victim that accesses these hyperlinks can allow the attacker to view the victim's Web cookies. Web cookies typically contain sensitive information. This technique is also used by some advertisement company to gather information about people, since the extend of the information gathered cannot be controlled, this behavior is considered by default malicious. === Best, Duane --**--**- To unsubscribe, e-mail: users-unsubscribe@wicket.**apache.orgusers-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
