I got a report , it suggest our web site to deal with xml injection issue. We use DropDownChoice with OnChangeAjaxBehavior to invoke another DropDownChoice via wicket-ajax buit-in xml payload, and the reporters used Burpsuite to inject xml on xmlpayload, such as inject &xxe;
image.png <https://drive.google.com/file/d/1U9nls1Z7tfs_zqEvbLLYsef89BFMopeY/view?usp=drive_web> and resulted in some abnormal response image.png <https://drive.google.com/file/d/1RcAegoREfmkdPNm1DCw9ouUyfI20lh7K/view?usp=drive_web> As a result, I have to prevent the xml injection, do I check the entire payload or only check there value we need ? On Thu, Apr 9, 2020 at 4:57 PM Martin Grigorov <mgrigo...@apache.org> wrote: > The images didn't make it to the mailing list. > Please use some online image paste bin. > > On Thu, Apr 9, 2020 at 11:33 AM Shengche Hsiao <shengchehs...@gmail.com> > wrote: > > > I got a report , it suggest our web site to deal with xml injection > issue. > > We use DropDownChoice with OnChangeAjaxBehavior to invoke another > > DropDownChoice via wicket-ajax buit-in xml payload, and the reporters > used > > Burpsuite to inject xml on xmlpayload, such as inject &xxe; > > > > [image: image.png] > > > > and resulted in some abnormal response > > > > [image: image.png] > > > > As a result, I have to prevent the xml injection, do I check the entire > > payload or only check there value we need ? > > > > On Thu, Apr 9, 2020 at 4:11 PM Martin Grigorov <mgrigo...@apache.org> > > wrote: > > > >> On Thu, Apr 9, 2020 at 11:09 AM Shengche Hsiao <shengchehs...@gmail.com > > > >> wrote: > >> > >> > Yes, I need to know overriding which methods > >> > > >> > >> I still do not understand what exactly you need to accomplish. > >> Please be more specific! > >> > >> > >> > > >> > On Thu, Apr 9, 2020 at 16:03 Martin Grigorov <mgrigo...@apache.org> > >> wrote: > >> > > >> > > Hi, > >> > > > >> > > On Thu, Apr 9, 2020 at 10:27 AM ShengChe Hsiao <front...@gmail.com> > >> > wrote: > >> > > > >> > > > Dear all > >> > > > > >> > > > I use built-in ajax dropdownchoice component, it's default payload > >> is > >> > xml > >> > > > entity, but if I need to prevent xml injection ,how can i do? > >> > > > > >> > > > >> > > Could you please give some more information what exactly you need? > >> > > > >> > > > >> > > > > >> > > > > >> > > > > -------------------------------------------------------------------- > >> > > > -----------------------------------> > >> > > > To boldly go where no man has gone before. > >> > > > > -------------------------------------------------------------------- > >> > > > -----------------------------------> > >> > > > We do this not because it is easy. We do this because it is hard. > >> > > > ----------------------------------------------------------------- > >> > > > --------------------------------------> > >> > > > If I have seen further it is by standing on the shoulders of > giants. > >> > > > ---------------------------------------------------------- > >> > > > ---------------------------------------------> > >> > > > front...@gmail.com > >> > > > > >> > > > > >> > > > >> > > >> > ---------------------------------------------------------------------------------------------> > >> > > > > >> > > > >> > -- > >> > > >> > > -----------------------------------------------------------------------> > >> > We do this not because it is easy. We do this because it is hard. > >> > > -----------------------------------------------------------------------> > >> > ShengChe Hsiao > >> > > -----------------------------------------------------------------------> > >> > front...@gmail.com > >> > front...@tc.edu.tw > >> > > -----------------------------------------------------------------------> > >> > VoIP : 070-910-2450 > >> > > -----------------------------------------------------------------------> > >> > > >> > > > > > > -- > > > > -----------------------------------------------------------------------> > > We do this not because it is easy. We do this because it is hard. > > -----------------------------------------------------------------------> > > ShengChe Hsiao > > -----------------------------------------------------------------------> > > front...@gmail.com > > front...@tc.edu.tw > > -----------------------------------------------------------------------> > > VoIP : 070-910-2450 > > -----------------------------------------------------------------------> > > > -- -----------------------------------------------------------------------> We do this not because it is easy. We do this because it is hard. -----------------------------------------------------------------------> ShengChe Hsiao -----------------------------------------------------------------------> front...@gmail.com front...@tc.edu.tw -----------------------------------------------------------------------> VoIP : 070-910-2450 ----------------------------------------------------------------------->
