wicket-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Bors <p...@bors.ws>
Subject Re: XSS in wicket. Wicket fault or my fault?
Date Wed, 29 Jan 2014 20:29:29 GMT
No need, Wicket escapes your model objects, see
Component#setEscapeModelStrings(true) for when HTML should be escaped and
thus the browser won't execute it as HTML or JS.
http://ci.apache.org/projects/wicket/apidocs/6.x/org/apache/wicket/Component.html#setEscapeModelStrings(boolean)

That is on by default, so you should switch to using a wicket model for
your label.

See the bottom section 11.1 "What is a model?" of the wicket free guide at:
http://wicket.apache.org/guide/guide/modelsforms.html#modelsforms_1

Also, older Wicket in Action:
http://www.javaranch.com/journal/2008/10/using-wicket-labels-and-links.html


On Wed, Jan 29, 2014 at 12:26 PM, Gonzalo Aguilar Delgado <
gaguilar@aguilardelgado.com> wrote:

> Hi there,
>
> I'm building an application for a client and my security advisor told me
> about a XSS attack that can be performed on the site.
>
> When user logs-in I welcome they by Saying "Hello user".
>
> <div class="thumbnail">
>                     <p wicket:id="message">
>                         Hello ${realName}.
>                         Welcome to the Synapse web.
>                     </p>
>                 </div>
>
>
> As you can see I use I18N so this is not the real text that will show up,
> but's similar.
>
> I used to think that wicket validated output before building web but the
> white hat hacked it by just putting a fake name into the database. Too easy
> for me...
>
> The content of realName is:
>
> '';!--"<SCRIPT>alert('XSS')</SCRIPT>=&{()}
>
>
> So I ended with:
>
> Hello<b>'';!--"<script>alert('XSS')</script>=&amp;{()}
>
> In the web page. And the script executed on login.
>
> I was thinking about baking a method into my DAO classes to validate
> everything that goes to the database. But it should be a better solution.
>
> Can you point me to right one?
>
>
>
> Best regards,
>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message