Do you have a knowledge how to protect a Wicket application against
such a problem:

In short: redirect request can be intercepted and the attacker can
change Host header to another value.

Can it be done on application (Wicket, Java Servlet) level (such Host
header checking) or should it be done outside an app, on the
reverse-proxy level, ...?

More details:

The application redirects users based on the value of the Host header.
As this value is not properly validated, redirects to third party
domains can occur.

It is possible to redirect application users to a URL outside the
customer control. Such a website might be used in phishing attacks to
harvest user credentials or try to exploit vulnerabilities on a user’s
This vulnerability might also lead to web-cache poisoning and
poisoning of links that are send to an user via an e-mail

Validate all input parameters used for redirection and deny any
request if the supplied value does not belong to the application’s


To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Reply via email to