Yes, super thanks for detailed explanation On Sat, Apr 11, 2020 at 11:19 AM Martin Terra < martin.te...@koodaripalvelut.com> wrote:
> la 11. huhtik. 2020 klo 5.58 Shengche Hsiao (shengchehs...@gmail.com) > kirjoitti: > > > Thanks Martin, I might misunderstand the report, and I'll validate the > > submitted values to prevent xml injection. > > > > You're welcome. To clarify: validation can prevent any malicious effects of > injected values, but it cannot prevent the injection itself. Therefore, > validation could cure the issue found in the report. This should > ofcourse be verified by reproducing the issue before fix and confirming > that applying the fix successfully mitigates the issue. > > ** > Martin > > > > On Thu, Apr 9, 2020 at 8:07 PM Martin Grigorov <mgrigo...@apache.org> > > wrote: > > > > > I still do not understand what exactly is the issue here. > > > > > > The client/browser submits the values as key/value pairs > > > (application/x-www-form-urlencoded). > > > The server responds with XML that is processed by wicket-ajax.js. > > > How validation of the submit values could help with the XML injection > ?! > > > > > > > > > On Thu, Apr 9, 2020 at 2:52 PM Shengche Hsiao <shengchehs...@gmail.com > > > > > wrote: > > > > > > > Thank you, I'll do that and see if works > > > > > > > > On Thu, Apr 9, 2020 at 6:35 PM Martin Terra < > > > > martin.te...@koodaripalvelut.com> wrote: > > > > > > > > > Can you solve this by simple validation if submitted values are > > legal? > > > > This > > > > > way it does not matter if client tries to override the submit. > > > > > > > > > > ** > > > > > Martin > > > > > > > > > > to 9. huhtik. 2020 klo 12.22 Shengche Hsiao ( > shengchehs...@gmail.com > > ) > > > > > kirjoitti: > > > > > > > > > > > I got a report , it suggest our web site to deal with xml > injection > > > > > issue. > > > > > > We use DropDownChoice with OnChangeAjaxBehavior to invoke another > > > > > > DropDownChoice via wicket-ajax buit-in xml payload, and the > > reporters > > > > > > used Burpsuite > > > > > > to inject xml on xmlpayload, such as inject &xxe; > > > > > > > > > > > > > > > > > > image.png > > > > > > < > > > > > > > > > > > > > > > > > > > > > https://drive.google.com/file/d/1U9nls1Z7tfs_zqEvbLLYsef89BFMopeY/view?usp=drive_web > > > > > > > > > > > > > > > > > > > > > > > > > and resulted in some abnormal response > > > > > > > > > > > > > > > > > > image.png > > > > > > < > > > > > > > > > > > > > > > > > > > > > https://drive.google.com/file/d/1RcAegoREfmkdPNm1DCw9ouUyfI20lh7K/view?usp=drive_web > > > > > > > > > > > > > > > > > > > > > > > > > As a result, I have to prevent the xml injection, do I check the > > > entire > > > > > > payload or only check there value we need ? > > > > > > > > > > > > On Thu, Apr 9, 2020 at 4:57 PM Martin Grigorov < > > mgrigo...@apache.org > > > > > > > > > > wrote: > > > > > > > > > > > > > The images didn't make it to the mailing list. > > > > > > > Please use some online image paste bin. > > > > > > > > > > > > > > On Thu, Apr 9, 2020 at 11:33 AM Shengche Hsiao < > > > > > shengchehs...@gmail.com> > > > > > > > wrote: > > > > > > > > > > > > > > > I got a report , it suggest our web site to deal with xml > > > injection > > > > > > > issue. > > > > > > > > We use DropDownChoice with OnChangeAjaxBehavior to invoke > > another > > > > > > > > DropDownChoice via wicket-ajax buit-in xml payload, and the > > > > reporters > > > > > > > used > > > > > > > > Burpsuite to inject xml on xmlpayload, such as inject &xxe; > > > > > > > > > > > > > > > > [image: image.png] > > > > > > > > > > > > > > > > and resulted in some abnormal response > > > > > > > > > > > > > > > > [image: image.png] > > > > > > > > > > > > > > > > As a result, I have to prevent the xml injection, do I check > > the > > > > > entire > > > > > > > > payload or only check there value we need ? > > > > > > > > > > > > > > > > On Thu, Apr 9, 2020 at 4:11 PM Martin Grigorov < > > > > mgrigo...@apache.org > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > >> On Thu, Apr 9, 2020 at 11:09 AM Shengche Hsiao < > > > > > > shengchehs...@gmail.com > > > > > > > > > > > > > > > >> wrote: > > > > > > > >> > > > > > > > >> > Yes, I need to know overriding which methods > > > > > > > >> > > > > > > > > >> > > > > > > > >> I still do not understand what exactly you need to > accomplish. > > > > > > > >> Please be more specific! > > > > > > > >> > > > > > > > >> > > > > > > > >> > > > > > > > > >> > On Thu, Apr 9, 2020 at 16:03 Martin Grigorov < > > > > > mgrigo...@apache.org> > > > > > > > >> wrote: > > > > > > > >> > > > > > > > > >> > > Hi, > > > > > > > >> > > > > > > > > > >> > > On Thu, Apr 9, 2020 at 10:27 AM ShengChe Hsiao < > > > > > > front...@gmail.com> > > > > > > > >> > wrote: > > > > > > > >> > > > > > > > > > >> > > > Dear all > > > > > > > >> > > > > > > > > > > >> > > > I use built-in ajax dropdownchoice component, it's > > default > > > > > > payload > > > > > > > >> is > > > > > > > >> > xml > > > > > > > >> > > > entity, but if I need to prevent xml injection ,how > can > > i > > > > do? > > > > > > > >> > > > > > > > > > > >> > > > > > > > > > >> > > Could you please give some more information what exactly > > you > > > > > need? > > > > > > > >> > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > > > >> > > > > > > > > > > >> > > > > > > > > > > > > > -------------------------------------------------------------------- > > > > > > > >> > > > -----------------------------------> > > > > > > > >> > > > To boldly go where no man has gone before. > > > > > > > >> > > > > > > > > > > > > > -------------------------------------------------------------------- > > > > > > > >> > > > -----------------------------------> > > > > > > > >> > > > We do this not because it is easy. We do this because > it > > > is > > > > > > hard. > > > > > > > >> > > > > > > > > > ----------------------------------------------------------------- > > > > > > > >> > > > --------------------------------------> > > > > > > > >> > > > If I have seen further it is by standing on the > > shoulders > > > of > > > > > > > giants. > > > > > > > >> > > > > > ---------------------------------------------------------- > > > > > > > >> > > > ---------------------------------------------> > > > > > > > >> > > > front...@gmail.com > > > > > > > >> > > > > > > > > > > >> > > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > > > > ---------------------------------------------------------------------------------------------> > > > > > > > >> > > > > > > > > > > >> > > > > > > > > > >> > -- > > > > > > > >> > > > > > > > > >> > > > > > > > > > > > > > > > > > -----------------------------------------------------------------------> > > > > > > > >> > We do this not because it is easy. We do this because it > is > > > > hard. > > > > > > > >> > > > > > > > > > > > > > > > > > -----------------------------------------------------------------------> > > > > > > > >> > ShengChe Hsiao > > > > > > > >> > > > > > > > > > > > > > > > > > -----------------------------------------------------------------------> > > > > > > > >> > front...@gmail.com > > > > > > > >> > front...@tc.edu.tw > > > > > > > >> > > > > > > > > > > > > > > > > > -----------------------------------------------------------------------> > > > > > > > >> > VoIP : 070-910-2450 > > > > > > > >> > > > > > > > > > > > > > > > > > -----------------------------------------------------------------------> > > > > > > > >> > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----------------------------------------------------------------------> > > > > > > > > We do this not because it is easy. We do this because it is > > hard. > > > > > > > > > > > > > > > > > > > > -----------------------------------------------------------------------> > > > > > > > > ShengChe Hsiao > > > > > > > > > > > > > > > > > > > > -----------------------------------------------------------------------> > > > > > > > > front...@gmail.com > > > > > > > > front...@tc.edu.tw > > > > > > > > > > > > > > > > > > > > -----------------------------------------------------------------------> > > > > > > > > VoIP : 070-910-2450 > > > > > > > > > > > > > > > > > > > > -----------------------------------------------------------------------> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > > > > > -----------------------------------------------------------------------> > > > > > > We do this not because it is easy. We do this because it is hard. > > > > > > > > > > > > -----------------------------------------------------------------------> > > > > > > ShengChe Hsiao > > > > > > > > > > > > -----------------------------------------------------------------------> > > > > > > front...@gmail.com > > > > > > front...@tc.edu.tw > > > > > > > > > > > > -----------------------------------------------------------------------> > > > > > > VoIP : 070-910-2450 > > > > > > > > > > > > -----------------------------------------------------------------------> > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > -----------------------------------------------------------------------> > > > > We do this not because it is easy. We do this because it is hard. > > > > > > -----------------------------------------------------------------------> > > > > ShengChe Hsiao > > > > > > -----------------------------------------------------------------------> > > > > front...@gmail.com > > > > front...@tc.edu.tw > > > > > > -----------------------------------------------------------------------> > > > > VoIP : 070-910-2450 > > > > > > -----------------------------------------------------------------------> > > > > > > > > > > > > > -- > > > > -----------------------------------------------------------------------> > > We do this not because it is easy. We do this because it is hard. > > -----------------------------------------------------------------------> > > ShengChe Hsiao > > -----------------------------------------------------------------------> > > front...@gmail.com > > front...@tc.edu.tw > > -----------------------------------------------------------------------> > > VoIP : 070-910-2450 > > -----------------------------------------------------------------------> > > > -- -----------------------------------------------------------------------> We do this not because it is easy. We do this because it is hard. -----------------------------------------------------------------------> ShengChe Hsiao -----------------------------------------------------------------------> front...@gmail.com front...@tc.edu.tw -----------------------------------------------------------------------> VoIP : 070-910-2450 ----------------------------------------------------------------------->
