Hi Jonathan,
On Tue, Nov 8, 2022 at 4:39 AM Jonathan P. Babie <jba...@osc.ny.gov.invalid>
wrote:
> Hello,
>
> Our Wicket web application went through an app scan. We understand most
> problems that came back from the report and have solutions, but one that's
> troubling us is:
>
>
> I've omitted our URLs, but essentially it seems they were able to
> manipulate the hostname to a different url.
>
> Unfortunately we weren't given much context aside from this report.
>
> We assume that there are three avenues for us to resolve this:
>
> 1. Wicket configuration
> 2. Server configuration
> 3. Non-issue (if this problem is addressed with the framework itself
> and we don't need to worry about it)
>
> We did come across this filter that might be a solution:
>
> getRequestCycleListeners().add(new
> CsrfPreventionRequestCycleListener().addAcceptedOrigin("[domain]"));
>
> Would adding this to our application resolve the above problem?
>
Yes!
This should be the solution!
>
> If there's any information you could provide as to how we can address it,
> we would greatly appreciate it.
>
> Thank you,
>
> Jonathan Babie
>
> Java Applications Developer
>
> Work: (838) 910-4274
>
> Personal: (518) 331-8758
> Notice: This communication, including any attachments, is intended solely
> for the use of the individual or entity to which it is addressed. This
> communication may contain information that is protected from disclosure
> under State and/or Federal law. Please notify the sender immediately if you
> have received this communication in error and delete this email from your
> system. If you are not the intended recipient, you are requested not to
> disclose, copy, distribute or take any action in reliance on the contents
> of this information.
>
