Wild guess: "link" in query parameter is suspected of injecting malicious <link> into application's rendered page.
On Fri, Jun 14, 2013 at 9:41 AM, Sven Meier <[email protected]> wrote: > Thanks for your information. > > I wonder what embedded "HTML Script Tag" Juniper sees in the given url: > > > http://130.126.114.121/**cgdashboard/?wicket:interface=** > :1:pubpan:publishersform:**datatable:body:rows:2:cells:1:** > cell:actionlink::ILinkListener<http://130.126.114.121/cgdashboard/?wicket:interface=:1:pubpan:publishersform:datatable:body:rows:2:cells:1:cell:actionlink::ILinkListener> > > Sven > > > > On 06/14/2013 04:37 PM, Duane Searsmith wrote: > >> Hi, >> >> I work in a user group at a large US university that uses Juniper Networks >> security software to filter traffic on the borders of their campus >> network. I administer a wicket web app that has been running just fine >> for >> the last 2 years. Last Saturday, certain wicket generated URLs were not >> being successfully passed through the aforementioned filter. Long story >> short and one week later, turns out that their was a recent update made to >> one of the filter signatures that causes this problem, and when the >> signatures were updated to the campus filter software our problems began. >> Fortunately the network admins recognized this as a false positive and >> agreed to disable this signature. >> >> I'm posting this message to let folks know that this is an issue. I have >> posted the info about the error below with an example of a URL that is >> blocked going from the browser to the web app. >> >> ============== >> Example url that was being blocked: >> >> "http://xxx.<http://130.126.**114.121/cgdashboard/?wicket:** >> interface=:1:pubpan:**publishersform:datatable:body:** >> rows:2:cells:1:cell:**actionlink::ILinkListener<http://130.126.114.121/cgdashboard/?wicket:interface=:1:pubpan:publishersform:datatable:body:rows:2:cells:1:cell:actionlink::ILinkListener> >> > >> xxx >> .xxx.xxx/yyyyyyyyyyyy/?wicket:**interface=:1:pubpan:** >> publishersform:datatable:body:**rows:2:cells:1:cell:** >> actionlink::ILinkListener<http**://130.126.114.121/** >> cgdashboard/?wicket:interface=**:1:pubpan:publishersform:** >> datatable:body:rows:2:cells:1:**cell:actionlink::ILinkListener<http://130.126.114.121/cgdashboard/?wicket:interface=:1:pubpan:publishersform:datatable:body:rows:2:cells:1:cell:actionlink::ILinkListener> >> **> >> ::" >> >> ============== >> Error generated at the filter: >> >> The traffic to that host is triggering and IDP error >> HTTP:XSS:HTML-SCRIPT-IN-URL-**VAR >> which the vendor describes as: >> >> Juniper Networks >> Solutions >> Products & Services >> Company >> Partners >> Support >> Education >> Signature Detail >> Security Intelligence Center >> Signatures >> Print >> Share >> Short Name >> HTTP:XSS:HTML-SCRIPT-IN-URL-**VAR >> Severity >> High >> Recommended >> Yes >> Recommended Action >> Drop >> Category >> HTTP >> Keywords >> CSS XSS Cross Site Scripting KB983438 39776 >> Release Date >> 2003/12/17 >> Update Number >> 1213 >> Supported Platforms >> di-5.3+, idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, >> srx-branch-9.4+ >> >> HTTP: HTML Script Tag Embedded in URL Variables >> >> This signature detects attempts at cross-site scripting attacks. Attackers >> can create a malicious Web site that includes HTML embedded in the >> hyperlinks, which can violate site security settings. A victim that >> accesses these hyperlinks can allow the attacker to view the victim's Web >> cookies. Web cookies typically contain sensitive information. This >> technique is also used by some advertisement company to gather information >> about people, since the extend of the information gathered cannot be >> controlled, this behavior is considered by default malicious. >> >> =========== >> >> Best, >> Duane >> >> > > ------------------------------**------------------------------**--------- > To unsubscribe, e-mail: > users-unsubscribe@wicket.**apache.org<[email protected]> > For additional commands, e-mail: [email protected] > >
