Hi there,
I'm building an application for a client and my security advisor told me
about a XSS attack that can be performed on the site.
When user logs-in I welcome they by Saying "Hello user".
<div class="thumbnail">
<p wicket:id="message">
Hello ${realName}.
Welcome to the Synapse web.
</p>
</div>
As you can see I use I18N so this is not the real text that will show
up, but's similar.
I used to think that wicket validated output before building web but the
white hat hacked it by just putting a fake name into the database. Too
easy for me...
The content of realName is:
'';!--"<SCRIPT>alert('XSS')</SCRIPT>=&{()}
So I ended with:
Hello<b>'';!--"<script>alert('XSS')</script>=&{()}
In the web page. And the script executed on login.
I was thinking about baking a method into my DAO classes to validate everything
that goes to the database. But it should be a better solution.
Can you point me to right one?
Best regards,
