wicket-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shengche Hsiao <shengchehs...@gmail.com>
Subject Re: About XML Injection
Date Sat, 11 Apr 2020 03:28:24 GMT
Yes, super thanks for detailed explanation

On Sat, Apr 11, 2020 at 11:19 AM Martin Terra <
martin.terra@koodaripalvelut.com> wrote:

> la 11. huhtik. 2020 klo 5.58 Shengche Hsiao (shengchehsiao@gmail.com)
> kirjoitti:
>
> > Thanks Martin, I might misunderstand the report, and  I'll validate the
> > submitted values to prevent xml injection.
> >
>
> You're welcome. To clarify: validation can prevent any malicious effects of
> injected values, but it cannot prevent the injection itself. Therefore,
> validation could cure the issue found in the report. This should
> ofcourse be verified by reproducing the issue before fix and confirming
> that applying the fix successfully mitigates the issue.
>
> **
> Martin
>
>
> > On Thu, Apr 9, 2020 at 8:07 PM Martin Grigorov <mgrigorov@apache.org>
> > wrote:
> >
> > > I still do not understand what exactly is the issue here.
> > >
> > > The client/browser submits the values as key/value pairs
> > > (application/x-www-form-urlencoded).
> > > The server responds with XML that is processed by wicket-ajax.js.
> > > How validation of the submit values could help with the XML injection
> ?!
> > >
> > >
> > > On Thu, Apr 9, 2020 at 2:52 PM Shengche Hsiao <shengchehsiao@gmail.com
> >
> > > wrote:
> > >
> > > > Thank you, I'll do that and see if works
> > > >
> > > > On Thu, Apr 9, 2020 at 6:35 PM Martin Terra <
> > > > martin.terra@koodaripalvelut.com> wrote:
> > > >
> > > > > Can you solve this by simple validation if submitted values are
> > legal?
> > > > This
> > > > > way it does not matter if client tries to override the submit.
> > > > >
> > > > > **
> > > > > Martin
> > > > >
> > > > > to 9. huhtik. 2020 klo 12.22 Shengche Hsiao (
> shengchehsiao@gmail.com
> > )
> > > > > kirjoitti:
> > > > >
> > > > > > I got a report , it suggest our web site to deal with xml
> injection
> > > > > issue.
> > > > > > We use DropDownChoice with OnChangeAjaxBehavior to invoke another
> > > > > > DropDownChoice via wicket-ajax buit-in xml payload, and the
> > reporters
> > > > > > used Burpsuite
> > > > > > to inject xml on xmlpayload, such as inject &xxe;
> > > > > >
> > > > > >
> > > > > >  image.png
> > > > > > <
> > > > > >
> > > > >
> > > >
> > >
> >
> https://drive.google.com/file/d/1U9nls1Z7tfs_zqEvbLLYsef89BFMopeY/view?usp=drive_web
> > > > > > >
> > > > > >
> > > > > >
> > > > > > and resulted in some abnormal response
> > > > > >
> > > > > >
> > > > > >  image.png
> > > > > > <
> > > > > >
> > > > >
> > > >
> > >
> >
> https://drive.google.com/file/d/1RcAegoREfmkdPNm1DCw9ouUyfI20lh7K/view?usp=drive_web
> > > > > > >
> > > > > >
> > > > > >
> > > > > > As a result, I have to prevent the xml injection, do I check
the
> > > entire
> > > > > > payload or only check there value we need ?
> > > > > >
> > > > > > On Thu, Apr 9, 2020 at 4:57 PM Martin Grigorov <
> > mgrigorov@apache.org
> > > >
> > > > > > wrote:
> > > > > >
> > > > > > > The images didn't make it to the mailing list.
> > > > > > > Please use some online image paste bin.
> > > > > > >
> > > > > > > On Thu, Apr 9, 2020 at 11:33 AM Shengche Hsiao <
> > > > > shengchehsiao@gmail.com>
> > > > > > > wrote:
> > > > > > >
> > > > > > > > I got a report , it suggest our web site to deal with
xml
> > > injection
> > > > > > > issue.
> > > > > > > > We use DropDownChoice with OnChangeAjaxBehavior to
invoke
> > another
> > > > > > > > DropDownChoice via wicket-ajax buit-in xml payload,
and the
> > > > reporters
> > > > > > > used
> > > > > > > >  Burpsuite to inject xml on xmlpayload, such as inject
&xxe;
> > > > > > > >
> > > > > > > > [image: image.png]
> > > > > > > >
> > > > > > > > and resulted in some abnormal response
> > > > > > > >
> > > > > > > > [image: image.png]
> > > > > > > >
> > > > > > > > As a result, I have to prevent the xml injection,
do I check
> > the
> > > > > entire
> > > > > > > > payload or only check there value we need ?
> > > > > > > >
> > > > > > > > On Thu, Apr 9, 2020 at 4:11 PM Martin Grigorov <
> > > > mgrigorov@apache.org
> > > > > >
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > >> On Thu, Apr 9, 2020 at 11:09 AM Shengche Hsiao
<
> > > > > > shengchehsiao@gmail.com
> > > > > > > >
> > > > > > > >> wrote:
> > > > > > > >>
> > > > > > > >> > Yes, I need to know overriding which methods
> > > > > > > >> >
> > > > > > > >>
> > > > > > > >> I still do not understand what exactly you need
to
> accomplish.
> > > > > > > >> Please be more specific!
> > > > > > > >>
> > > > > > > >>
> > > > > > > >> >
> > > > > > > >> > On Thu, Apr 9, 2020 at 16:03 Martin Grigorov
<
> > > > > mgrigorov@apache.org>
> > > > > > > >> wrote:
> > > > > > > >> >
> > > > > > > >> > > Hi,
> > > > > > > >> > >
> > > > > > > >> > > On Thu, Apr 9, 2020 at 10:27 AM ShengChe
Hsiao <
> > > > > > front713@gmail.com>
> > > > > > > >> > wrote:
> > > > > > > >> > >
> > > > > > > >> > > > Dear all
> > > > > > > >> > > >
> > > > > > > >> > > > I use built-in ajax dropdownchoice
component, it's
> > default
> > > > > > payload
> > > > > > > >> is
> > > > > > > >> > xml
> > > > > > > >> > > > entity, but if I need to prevent
xml injection ,how
> can
> > i
> > > > do?
> > > > > > > >> > > >
> > > > > > > >> > >
> > > > > > > >> > > Could you please give some more information
what exactly
> > you
> > > > > need?
> > > > > > > >> > >
> > > > > > > >> > >
> > > > > > > >> > > >
> > > > > > > >> > > >
> > > > > > > >> > > >
> > > > > > >
> > > --------------------------------------------------------------------
> > > > > > > >> > > > ----------------------------------->
> > > > > > > >> > > > To boldly go where no man has gone
before.
> > > > > > > >> > > >
> > > > > > >
> > > --------------------------------------------------------------------
> > > > > > > >> > > > ----------------------------------->
> > > > > > > >> > > > We do this not because it is easy.
We do this because
> it
> > > is
> > > > > > hard.
> > > > > > > >> > > >
> > > > > > -----------------------------------------------------------------
> > > > > > > >> > > > -------------------------------------->
> > > > > > > >> > > > If I have seen further it is by
standing on the
> > shoulders
> > > of
> > > > > > > giants.
> > > > > > > >> > > >
> > ----------------------------------------------------------
> > > > > > > >> > > > --------------------------------------------->
> > > > > > > >> > > > front713@gmail.com
> > > > > > > >> > > >
> > > > > > > >> > > >
> > > > > > > >> > >
> > > > > > > >> >
> > > > > > > >>
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> --------------------------------------------------------------------------------------------->
> > > > > > > >> > > >
> > > > > > > >> > >
> > > > > > > >> > --
> > > > > > > >> >
> > > > > > > >> >
> > > > > > >
> > > > >
> > >
> ----------------------------------------------------------------------->
> > > > > > > >> > We do this not because it is easy. We do
this because it
> is
> > > > hard.
> > > > > > > >> >
> > > > > > >
> > > > >
> > >
> ----------------------------------------------------------------------->
> > > > > > > >> > ShengChe Hsiao
> > > > > > > >> >
> > > > > > >
> > > > >
> > >
> ----------------------------------------------------------------------->
> > > > > > > >> > front713@gmail.com
> > > > > > > >> > front713@tc.edu.tw
> > > > > > > >> >
> > > > > > >
> > > > >
> > >
> ----------------------------------------------------------------------->
> > > > > > > >> > VoIP : 070-910-2450
> > > > > > > >> >
> > > > > > >
> > > > >
> > >
> ----------------------------------------------------------------------->
> > > > > > > >> >
> > > > > > > >>
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > >
> > > > > > > >
> > > > > >
> > > >
> > ----------------------------------------------------------------------->
> > > > > > > > We do this not because it is easy. We do this because
it is
> > hard.
> > > > > > > >
> > > > > >
> > > >
> > ----------------------------------------------------------------------->
> > > > > > > > ShengChe Hsiao
> > > > > > > >
> > > > > >
> > > >
> > ----------------------------------------------------------------------->
> > > > > > > > front713@gmail.com
> > > > > > > > front713@tc.edu.tw
> > > > > > > >
> > > > > >
> > > >
> > ----------------------------------------------------------------------->
> > > > > > > > VoIP : 070-910-2450
> > > > > > > >
> > > > > >
> > > >
> > ----------------------------------------------------------------------->
> > > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > >
> > > > > >
> > > >
> > ----------------------------------------------------------------------->
> > > > > > We do this not because it is easy. We do this because it is
hard.
> > > > > >
> > > >
> > ----------------------------------------------------------------------->
> > > > > > ShengChe Hsiao
> > > > > >
> > > >
> > ----------------------------------------------------------------------->
> > > > > > front713@gmail.com
> > > > > > front713@tc.edu.tw
> > > > > >
> > > >
> > ----------------------------------------------------------------------->
> > > > > > VoIP : 070-910-2450
> > > > > >
> > > >
> > ----------------------------------------------------------------------->
> > > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > >
> > > >
> > ----------------------------------------------------------------------->
> > > > We do this not because it is easy. We do this because it is hard.
> > > >
> > ----------------------------------------------------------------------->
> > > > ShengChe Hsiao
> > > >
> > ----------------------------------------------------------------------->
> > > > front713@gmail.com
> > > > front713@tc.edu.tw
> > > >
> > ----------------------------------------------------------------------->
> > > > VoIP : 070-910-2450
> > > >
> > ----------------------------------------------------------------------->
> > > >
> > >
> >
> >
> > --
> >
> > ----------------------------------------------------------------------->
> > We do this not because it is easy. We do this because it is hard.
> > ----------------------------------------------------------------------->
> > ShengChe Hsiao
> > ----------------------------------------------------------------------->
> > front713@gmail.com
> > front713@tc.edu.tw
> > ----------------------------------------------------------------------->
> > VoIP : 070-910-2450
> > ----------------------------------------------------------------------->
> >
>


-- 

----------------------------------------------------------------------->
We do this not because it is easy. We do this because it is hard.
----------------------------------------------------------------------->
ShengChe Hsiao
----------------------------------------------------------------------->
front713@gmail.com
front713@tc.edu.tw
----------------------------------------------------------------------->
VoIP : 070-910-2450
----------------------------------------------------------------------->

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message