Can you solve this by simple validation if submitted values are legal? This way it does not matter if client tries to override the submit.
** Martin to 9. huhtik. 2020 klo 12.22 Shengche Hsiao (shengchehs...@gmail.com) kirjoitti: > I got a report , it suggest our web site to deal with xml injection issue. > We use DropDownChoice with OnChangeAjaxBehavior to invoke another > DropDownChoice via wicket-ajax buit-in xml payload, and the reporters > used Burpsuite > to inject xml on xmlpayload, such as inject &xxe; > > > image.png > < > https://drive.google.com/file/d/1U9nls1Z7tfs_zqEvbLLYsef89BFMopeY/view?usp=drive_web > > > > > and resulted in some abnormal response > > > image.png > < > https://drive.google.com/file/d/1RcAegoREfmkdPNm1DCw9ouUyfI20lh7K/view?usp=drive_web > > > > > As a result, I have to prevent the xml injection, do I check the entire > payload or only check there value we need ? > > On Thu, Apr 9, 2020 at 4:57 PM Martin Grigorov <mgrigo...@apache.org> > wrote: > > > The images didn't make it to the mailing list. > > Please use some online image paste bin. > > > > On Thu, Apr 9, 2020 at 11:33 AM Shengche Hsiao <shengchehs...@gmail.com> > > wrote: > > > > > I got a report , it suggest our web site to deal with xml injection > > issue. > > > We use DropDownChoice with OnChangeAjaxBehavior to invoke another > > > DropDownChoice via wicket-ajax buit-in xml payload, and the reporters > > used > > > Burpsuite to inject xml on xmlpayload, such as inject &xxe; > > > > > > [image: image.png] > > > > > > and resulted in some abnormal response > > > > > > [image: image.png] > > > > > > As a result, I have to prevent the xml injection, do I check the entire > > > payload or only check there value we need ? > > > > > > On Thu, Apr 9, 2020 at 4:11 PM Martin Grigorov <mgrigo...@apache.org> > > > wrote: > > > > > >> On Thu, Apr 9, 2020 at 11:09 AM Shengche Hsiao < > shengchehs...@gmail.com > > > > > >> wrote: > > >> > > >> > Yes, I need to know overriding which methods > > >> > > > >> > > >> I still do not understand what exactly you need to accomplish. > > >> Please be more specific! > > >> > > >> > > >> > > > >> > On Thu, Apr 9, 2020 at 16:03 Martin Grigorov <mgrigo...@apache.org> > > >> wrote: > > >> > > > >> > > Hi, > > >> > > > > >> > > On Thu, Apr 9, 2020 at 10:27 AM ShengChe Hsiao < > front...@gmail.com> > > >> > wrote: > > >> > > > > >> > > > Dear all > > >> > > > > > >> > > > I use built-in ajax dropdownchoice component, it's default > payload > > >> is > > >> > xml > > >> > > > entity, but if I need to prevent xml injection ,how can i do? > > >> > > > > > >> > > > > >> > > Could you please give some more information what exactly you need? > > >> > > > > >> > > > > >> > > > > > >> > > > > > >> > > > > > -------------------------------------------------------------------- > > >> > > > -----------------------------------> > > >> > > > To boldly go where no man has gone before. > > >> > > > > > -------------------------------------------------------------------- > > >> > > > -----------------------------------> > > >> > > > We do this not because it is easy. We do this because it is > hard. > > >> > > > > ----------------------------------------------------------------- > > >> > > > --------------------------------------> > > >> > > > If I have seen further it is by standing on the shoulders of > > giants. > > >> > > > ---------------------------------------------------------- > > >> > > > ---------------------------------------------> > > >> > > > front...@gmail.com > > >> > > > > > >> > > > > > >> > > > > >> > > > >> > > > ---------------------------------------------------------------------------------------------> > > >> > > > > > >> > > > > >> > -- > > >> > > > >> > > > -----------------------------------------------------------------------> > > >> > We do this not because it is easy. We do this because it is hard. > > >> > > > -----------------------------------------------------------------------> > > >> > ShengChe Hsiao > > >> > > > -----------------------------------------------------------------------> > > >> > front...@gmail.com > > >> > front...@tc.edu.tw > > >> > > > -----------------------------------------------------------------------> > > >> > VoIP : 070-910-2450 > > >> > > > -----------------------------------------------------------------------> > > >> > > > >> > > > > > > > > > -- > > > > > > > -----------------------------------------------------------------------> > > > We do this not because it is easy. We do this because it is hard. > > > > -----------------------------------------------------------------------> > > > ShengChe Hsiao > > > > -----------------------------------------------------------------------> > > > front...@gmail.com > > > front...@tc.edu.tw > > > > -----------------------------------------------------------------------> > > > VoIP : 070-910-2450 > > > > -----------------------------------------------------------------------> > > > > > > > > -- > > -----------------------------------------------------------------------> > We do this not because it is easy. We do this because it is hard. > -----------------------------------------------------------------------> > ShengChe Hsiao > -----------------------------------------------------------------------> > front...@gmail.com > front...@tc.edu.tw > -----------------------------------------------------------------------> > VoIP : 070-910-2450 > -----------------------------------------------------------------------> >
