Re: XSS in wicket. Wicket fault or my fault?

Thu, 30 Jan 2014 02:22:53 -0800 

Hi!

You can also replace your Label's model with a StringResourceModel.
See http://ci.apache.org/projects/wicket/apidocs/6.x/org/apache/wicket/model/StringResourceModel.html 

Met vriendelijke groet,
Kind regards,

Bas Gooren

schreef Gonzalo Aguilar Delgado op 30-1-2014 11:17:

Hi Martin,

This is how I've done it.
label = new Label("message", getString("main.message", new Model<WebUser>(authSession.getUser()))); 
        label.setOutputMarkupId(true);


And in the MainTmsPage.properties I have:
main.message=Hello <b>${realName}</b>.<br> Welcome to the Technoactivity Payment Solutions main page. 


And it worked!


El 30/01/14 10:03, Martin Grigorov escribió:

Hi,

On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado <
gagui...@aguilardelgado.com> wrote:


Hi there,
I'm building an application for a client and my security advisor told me 
about a XSS attack that can be performed on the site.

When user logs-in I welcome they by Saying "Hello user".

<div class="thumbnail">
                     <p wicket:id="message">
                         Hello ${realName}.


How do you substitute the value of ${realName} ?
Wicket doesn't support such placeholders.

The Wicket syntax would be: Hello <span wicket:id="realName"></span>.
Together with: page.add(new Label("realName", "Some Name");



                         Welcome to the Synapse web.
                     </p>
                 </div>
As you can see I use I18N so this is not the real text that will show up, 
but's similar.
I used to think that wicket validated output before building web but the white hat hacked it by just putting a fake name into the database. Too easy 
for me...

The content of realName is:

'';!--"<SCRIPT>alert('XSS')</SCRIPT>=&{()}


So I ended with:

Hello<b>'';!--"<script>alert('XSS')</script>=&amp;{()}

In the web page. And the script executed on login.

I was thinking about baking a method into my DAO classes to validate
everything that goes to the database. But it should be a better solution. 

Can you point me to right one?



Best regards,






---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Reply via email to