Re: XSS in wicket. Wicket fault or my fault?

Thu, 30 Jan 2014 01:30:26 -0800 

On Thu, Jan 30, 2014 at 10:26 AM, Steve <shadders....@gmail.com> wrote:

> It looks like an EL expression but it's not wicket-el because it escapes
> output the same way wicket does...
>
> speaking of I must get off my butt and work out how to import it into
> wicketstuff... I've made all the changes that wicket 6.13 enabled.
>

+1
ping me if you need help


>
> On 30/01/14 19:03, Martin Grigorov wrote:
> > Hi,
> >
> > On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado <
> > gagui...@aguilardelgado.com> wrote:
> >
> >> Hi there,
> >>
> >> I'm building an application for a client and my security advisor told me
> >> about a XSS attack that can be performed on the site.
> >>
> >> When user logs-in I welcome they by Saying "Hello user".
> >>
> >> <div class="thumbnail">
> >>                     <p wicket:id="message">
> >>                         Hello ${realName}.
> >>
> > How do you substitute the value of ${realName} ?
> > Wicket doesn't support such placeholders.
> >
> > The Wicket syntax would be: Hello <span wicket:id="realName"></span>.
> > Together with: page.add(new Label("realName", "Some Name");
> >
> >
> >>                         Welcome to the Synapse web.
> >>                     </p>
> >>                 </div>
> >>
> >>
> >> As you can see I use I18N so this is not the real text that will show
> up,
> >> but's similar.
> >>
> >> I used to think that wicket validated output before building web but the
> >> white hat hacked it by just putting a fake name into the database. Too
> easy
> >> for me...
> >>
> >> The content of realName is:
> >>
> >> '';!--"<SCRIPT>alert('XSS')</SCRIPT>=&{()}
> >>
> >>
> >> So I ended with:
> >>
> >> Hello<b>'';!--"<script>alert('XSS')</script>=&amp;{()}
> >>
> >> In the web page. And the script executed on login.
> >>
> >> I was thinking about baking a method into my DAO classes to validate
> >> everything that goes to the database. But it should be a better
> solution.
> >>
> >> Can you point me to right one?
> >>
> >>
> >>
> >> Best regards,
> >>
> >>
> >>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>
>

Reply via email to