Hi Martin,
Thank you very much, we'll go that route!
Jonathan Babie
Java Applications Developer
Work: (838) 910-4274
________________________________
From: Martin Grigorov <mgrigo...@apache.org>
Sent: Tuesday, November 8, 2022 3:18 AM
To: users@wicket.apache.org <users@wicket.apache.org>
Subject: Re: Host Header Injection Solution
Hi Jonathan,
On Tue, Nov 8, 2022 at 4:39 AM Jonathan P. Babie <jba...@osc.ny.gov.invalid>
wrote:
> Hello,
>
> Our Wicket web application went through an app scan. We understand most
> problems that came back from the report and have solutions, but one that's
> troubling us is:
>
>
> I've omitted our URLs, but essentially it seems they were able to
> manipulate the hostname to a different url.
>
> Unfortunately we weren't given much context aside from this report.
>
> We assume that there are three avenues for us to resolve this:
>
> 1. Wicket configuration
> 2. Server configuration
> 3. Non-issue (if this problem is addressed with the framework itself
> and we don't need to worry about it)
>
> We did come across this filter that might be a solution:
>
> getRequestCycleListeners().add(new
> CsrfPreventionRequestCycleListener().addAcceptedOrigin("[domain]"));
>
> Would adding this to our application resolve the above problem?
>
Yes!
This should be the solution!
>
> If there's any information you could provide as to how we can address it,
> we would greatly appreciate it.
>
> Thank you,
>
> Jonathan Babie
>
> Java Applications Developer
>
> Work: (838) 910-4274
>
> Personal: (518) 331-8758
> Notice: This communication, including any attachments, is intended solely
> for the use of the individual or entity to which it is addressed. This
> communication may contain information that is protected from disclosure
> under State and/or Federal law. Please notify the sender immediately if you
> have received this communication in error and delete this email from your
> system. If you are not the intended recipient, you are requested not to
> disclose, copy, distribute or take any action in reliance on the contents
> of this information.
>
Notice: This communication, including any attachments, is intended solely for
the use of the individual or entity to which it is addressed. This
communication may contain information that is protected from disclosure under
State and/or Federal law. Please notify the sender immediately if you have
received this communication in error and delete this email from your system. If
you are not the intended recipient, you are requested not to disclose, copy,
distribute or take any action in reliance on the contents of this information.
