Hello, Our Wicket web application went through an app scan. We understand most problems that came back from the report and have solutions, but one that's troubling us is:
Blind XPath Injection Severity: Medium CVSS Score: 6.4 Entity: regionFormGroup:regionFormGroup_body:regionTextField (Parameter) Risk: It is possible to access information stored in a sensitive data resource Cause: Sanitation of hazardous characters was not performed correctly on user input Fix: Review possible solutions for hazardous character injection Difference: Parameter regionFormGroup:regionFormGroup_body:regionTextField manipulated from: b to: b%27+and+last%28%29%3Dlast%28%29+or+%27 Parameter regionFormGroup:regionFormGroup_body:regionTextField manipulated from: b to: b%27+and+not%28last%28%29%29%3Dlast%28%29+or%27 Parameter regionFormGroup:regionFormGroup_body:regionTextField manipulated from: b to: b%27+and+position%28%29%3Dposition%28%29+or+%27 Reasoning: The test result seems to indicate a vulnerability because it shows that values can be appended to parameter values, indicating that they were embedded in an Xpath query. In this test, four (or sometimes five) requests are sent. One of the last two should be logically equal to the original, and the request before that is different, and should yield empty result or error. Any others are for control purposes. A comparison between the responses of the equivalent requests, and those that are not equivalent with the first (the equivalent options are similar to it, and the erroneous one is different) indicates that the application is vulnerable. Test Requests and Responses: POST /lgmm/1EFGhfMAxecfRmNOJXeaL4DEM0H-EW58EQqlsCvFg2CrIQQFX7A73Gb1jkQR1RVAgGv-Ar-xgDmvL9rYCjIxJyUCSoIcSK57hbnGyvGyXBMLG_P37gUxG-gvskBCrGmZDb7eWl9v5shigfUuZPG54Nckxrw3uEsF01z1jdgTzDjsiYMQe_Wp04lViFNHIjn9LpPw9tg8gq5DRvPE2MTYlx82jMU_2xmlJJMYGoOTwwKnJRA94d_aqyTlatMrDzSr/1EFf1/rGm57 HTTP/1.1 Host: example.domain.com Connection: keep-alive sec-ch-ua: "Chromium";v="106", "Google Chrome";v="106", "Not;A=Brand";v="99" sec-ch-ua-mobile: ?0 Wicket-FocusedElementId: id87 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept: application/xml, text/xml, */*; q=0.01 Wicket-Ajax-BaseURL: 1EFGhfMAxecfRmNOJXeaL4DEM0H-EW58EQqlsCvFg2CrIQQFX7A73Gb1jkQR1RVAgGv-Ar-xgDmvL9rYCjIxJyUCSoIcSK57hbnGyvGyXBMLG_P37gUxG-gvskBCrGmZmajvnhPJ2o8/1EFf1/-gvdb X-Requested-With: XMLHttpRequest Wicket-Ajax: true sec-ch-ua-platform: "Windows" Origin: https://example.domain.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://example.domain.com/lgmm/1EFGhfMAxecfRmNOJXeaL4DEM0H-EW58EQqlsCvFg2CrIQQFX7A73Gb1jkQR1RVAgGv-Ar-xgDmvL9rYCjIxJyUCSoIcSK57hbnGyvGyXBMLG_P37gUxG-gvskBCrGmZmajvnhPJ2o8/1EFf1/-gvdb Accept-Language: en-US Content-Length: 58 regionFormGroup%3AregionFormGroup_body%3AregionTextField=b HTTP/1.1 200 OK Date: Fri, 28 Oct 2022 01:26:27 GMT X-Powered-By: Servlet/3.1 Expires: Thu, 01 Jan 1970 00:00:00 GMT Pragma: no-cache Cache-Control: no-cache, no-store Ajax-Location: ../../1EFGhfMAxecfRmNOJXeaL4DEM0H-EW58EQqlsCvFg2CrIQQFX7A73Gb1jkQR1RVAgGv-Ar-xgDmvL9rYCjIxJyUCSoIcSK57hbnGyvGyXBMLG_P37gUxG-gvskBCrGmZGxUSqIGs5Tb2rcQ5fnAdfw/1EFf1/rYC7b Keep-Alive: timeout=5, max=94 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/xml;charset=UTF-8 Content-Language: en-US X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; preload <ajax-response> <redirect><![CDATA[../../1EFGhfMAxecfRmNOJXeaL4DEM0H-EW58EQqlsCvFg2CrIQQFX7A73Gb1jkQR1RVAgGv-Ar-xgDmvL9rYCjIxJyUCSoIcSK57hbnGyvGyXBMLG_P37gUxG-gvskBCrGmZGxUSqIGs5Tb2rcQ5fnAdfw/1EFf1/rYC7b]]></redirec ... ... ... Content-Length: 96 regionFormGroup%3AregionFormGroup_body%3AregionTextField=b%27+and+last%28%29%3Dlast%28%29+or+%27 HTTP/1.1 200 OK Date: Fri, 28 Oct 2022 01:26:27 GMT X-Powered-By: Servlet/3.1 ... ... ... Content-Length: 104 regionFormGroup%3AregionFormGroup_body%3AregionTextField=b%27+and+not%28last%28%29%29%3Dlast%28%29+or%27 HTTP/1.1 200 OK Date: Fri, 28 Oct 2022 01:26:27 GMT X-Powered-By: Servlet/3.1 ... ... ... Content-Length: 104 regionFormGroup%3AregionFormGroup_body%3AregionTextField=b%27+and+position%28%29%3Dposition%28%29+or+%27 HTTP/1.1 200 OK Date: Fri, 28 Oct 2022 01:26:27 GMT X-Powered-By: Servlet/3.1 We're having a hard time understanding what's even happening here or if it's a threat, but essentially we have a very simple Panel with a TextField that drives a DataTable via ajax, and it appears that somehow the app scan is manipulating the TextField with a POST and sending garbage data. Unfortunately we don't have any context aside from this report. We were hoping you might help us understand the problem, and let us know if this is something we can/should configure in the Wicket framework. Since this is a Medium severity, we are being told that this has to be dealt with. Any information to guide us would be greatly appreciated. Thank you, Jonathan Babie Java Applications Developer Work: (838) 910-4274 Notice: This communication, including any attachments, is intended solely for the use of the individual or entity to which it is addressed. This communication may contain information that is protected from disclosure under State and/or Federal law. Please notify the sender immediately if you have received this communication in error and delete this email from your system. If you are not the intended recipient, you are requested not to disclose, copy, distribute or take any action in reliance on the contents of this information.
