wicket-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Stoch <daniel.st...@gmail.com>
Subject Users can be redirected based on unvalidated input (CWE-601: URL Redirection to Untrusted Site)
Date Wed, 13 Nov 2019 17:30:22 GMT
Hi,

Do you have a knowledge how to protect a Wicket application against
such a problem:
http://cwe.mitre.org/data/definitions/601.html

In short: redirect request can be intercepted and the attacker can
change Host header to another value.

Can it be done on application (Wicket, Java Servlet) level (such Host
header checking) or should it be done outside an app, on the
reverse-proxy level, ...?


More details:

Description:
The application redirects users based on the value of the Host header.
As this value is not properly validated, redirects to third party
domains can occur.

Impact:
It is possible to redirect application users to a URL outside the
customer control. Such a website might be used in phishing attacks to
harvest user credentials or try to exploit vulnerabilities on a user’s
machine.
This vulnerability might also lead to web-cache poisoning and
poisoning of links that are send to an user via an e-mail
functionality.

Proposal:
Validate all input parameters used for redirection and deny any
request if the supplied value does not belong to the application’s
domain.

--
Daniel

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org


Mime
View raw message