la 11. huhtik. 2020 klo 5.58 Shengche Hsiao (shengchehs...@gmail.com) kirjoitti:
> Thanks Martin, I might misunderstand the report, and I'll validate the > submitted values to prevent xml injection. > You're welcome. To clarify: validation can prevent any malicious effects of injected values, but it cannot prevent the injection itself. Therefore, validation could cure the issue found in the report. This should ofcourse be verified by reproducing the issue before fix and confirming that applying the fix successfully mitigates the issue. ** Martin > On Thu, Apr 9, 2020 at 8:07 PM Martin Grigorov <mgrigo...@apache.org> > wrote: > > > I still do not understand what exactly is the issue here. > > > > The client/browser submits the values as key/value pairs > > (application/x-www-form-urlencoded). > > The server responds with XML that is processed by wicket-ajax.js. > > How validation of the submit values could help with the XML injection ?! > > > > > > On Thu, Apr 9, 2020 at 2:52 PM Shengche Hsiao <shengchehs...@gmail.com> > > wrote: > > > > > Thank you, I'll do that and see if works > > > > > > On Thu, Apr 9, 2020 at 6:35 PM Martin Terra < > > > martin.te...@koodaripalvelut.com> wrote: > > > > > > > Can you solve this by simple validation if submitted values are > legal? > > > This > > > > way it does not matter if client tries to override the submit. > > > > > > > > ** > > > > Martin > > > > > > > > to 9. huhtik. 2020 klo 12.22 Shengche Hsiao (shengchehs...@gmail.com > ) > > > > kirjoitti: > > > > > > > > > I got a report , it suggest our web site to deal with xml injection > > > > issue. > > > > > We use DropDownChoice with OnChangeAjaxBehavior to invoke another > > > > > DropDownChoice via wicket-ajax buit-in xml payload, and the > reporters > > > > > used Burpsuite > > > > > to inject xml on xmlpayload, such as inject &xxe; > > > > > > > > > > > > > > > image.png > > > > > < > > > > > > > > > > > > > > > https://drive.google.com/file/d/1U9nls1Z7tfs_zqEvbLLYsef89BFMopeY/view?usp=drive_web > > > > > > > > > > > > > > > > > > > > > and resulted in some abnormal response > > > > > > > > > > > > > > > image.png > > > > > < > > > > > > > > > > > > > > > https://drive.google.com/file/d/1RcAegoREfmkdPNm1DCw9ouUyfI20lh7K/view?usp=drive_web > > > > > > > > > > > > > > > > > > > > > As a result, I have to prevent the xml injection, do I check the > > entire > > > > > payload or only check there value we need ? > > > > > > > > > > On Thu, Apr 9, 2020 at 4:57 PM Martin Grigorov < > mgrigo...@apache.org > > > > > > > > wrote: > > > > > > > > > > > The images didn't make it to the mailing list. > > > > > > Please use some online image paste bin. > > > > > > > > > > > > On Thu, Apr 9, 2020 at 11:33 AM Shengche Hsiao < > > > > shengchehs...@gmail.com> > > > > > > wrote: > > > > > > > > > > > > > I got a report , it suggest our web site to deal with xml > > injection > > > > > > issue. > > > > > > > We use DropDownChoice with OnChangeAjaxBehavior to invoke > another > > > > > > > DropDownChoice via wicket-ajax buit-in xml payload, and the > > > reporters > > > > > > used > > > > > > > Burpsuite to inject xml on xmlpayload, such as inject &xxe; > > > > > > > > > > > > > > [image: image.png] > > > > > > > > > > > > > > and resulted in some abnormal response > > > > > > > > > > > > > > [image: image.png] > > > > > > > > > > > > > > As a result, I have to prevent the xml injection, do I check > the > > > > entire > > > > > > > payload or only check there value we need ? > > > > > > > > > > > > > > On Thu, Apr 9, 2020 at 4:11 PM Martin Grigorov < > > > mgrigo...@apache.org > > > > > > > > > > > > wrote: > > > > > > > > > > > > > >> On Thu, Apr 9, 2020 at 11:09 AM Shengche Hsiao < > > > > > shengchehs...@gmail.com > > > > > > > > > > > > > >> wrote: > > > > > > >> > > > > > > >> > Yes, I need to know overriding which methods > > > > > > >> > > > > > > > >> > > > > > > >> I still do not understand what exactly you need to accomplish. > > > > > > >> Please be more specific! > > > > > > >> > > > > > > >> > > > > > > >> > > > > > > > >> > On Thu, Apr 9, 2020 at 16:03 Martin Grigorov < > > > > mgrigo...@apache.org> > > > > > > >> wrote: > > > > > > >> > > > > > > > >> > > Hi, > > > > > > >> > > > > > > > > >> > > On Thu, Apr 9, 2020 at 10:27 AM ShengChe Hsiao < > > > > > front...@gmail.com> > > > > > > >> > wrote: > > > > > > >> > > > > > > > > >> > > > Dear all > > > > > > >> > > > > > > > > > >> > > > I use built-in ajax dropdownchoice component, it's > default > > > > > payload > > > > > > >> is > > > > > > >> > xml > > > > > > >> > > > entity, but if I need to prevent xml injection ,how can > i > > > do? > > > > > > >> > > > > > > > > > >> > > > > > > > > >> > > Could you please give some more information what exactly > you > > > > need? > > > > > > >> > > > > > > > > >> > > > > > > > > >> > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > > > > -------------------------------------------------------------------- > > > > > > >> > > > -----------------------------------> > > > > > > >> > > > To boldly go where no man has gone before. > > > > > > >> > > > > > > > > > > > -------------------------------------------------------------------- > > > > > > >> > > > -----------------------------------> > > > > > > >> > > > We do this not because it is easy. We do this because it > > is > > > > > hard. > > > > > > >> > > > > > > > > ----------------------------------------------------------------- > > > > > > >> > > > --------------------------------------> > > > > > > >> > > > If I have seen further it is by standing on the > shoulders > > of > > > > > > giants. > > > > > > >> > > > > ---------------------------------------------------------- > > > > > > >> > > > ---------------------------------------------> > > > > > > >> > > > front...@gmail.com > > > > > > >> > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > >> > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > ---------------------------------------------------------------------------------------------> > > > > > > >> > > > > > > > > > >> > > > > > > > > >> > -- > > > > > > >> > > > > > > > >> > > > > > > > > > > > > > -----------------------------------------------------------------------> > > > > > > >> > We do this not because it is easy. We do this because it is > > > hard. > > > > > > >> > > > > > > > > > > > > > -----------------------------------------------------------------------> > > > > > > >> > ShengChe Hsiao > > > > > > >> > > > > > > > > > > > > > -----------------------------------------------------------------------> > > > > > > >> > front...@gmail.com > > > > > > >> > front...@tc.edu.tw > > > > > > >> > > > > > > > > > > > > > -----------------------------------------------------------------------> > > > > > > >> > VoIP : 070-910-2450 > > > > > > >> > > > > > > > > > > > > > -----------------------------------------------------------------------> > > > > > > >> > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > > > > > > > > > > -----------------------------------------------------------------------> > > > > > > > We do this not because it is easy. We do this because it is > hard. > > > > > > > > > > > > > > > > -----------------------------------------------------------------------> > > > > > > > ShengChe Hsiao > > > > > > > > > > > > > > > > -----------------------------------------------------------------------> > > > > > > > front...@gmail.com > > > > > > > front...@tc.edu.tw > > > > > > > > > > > > > > > > -----------------------------------------------------------------------> > > > > > > > VoIP : 070-910-2450 > > > > > > > > > > > > > > > > -----------------------------------------------------------------------> > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > -----------------------------------------------------------------------> > > > > > We do this not because it is easy. We do this because it is hard. > > > > > > > > > -----------------------------------------------------------------------> > > > > > ShengChe Hsiao > > > > > > > > > -----------------------------------------------------------------------> > > > > > front...@gmail.com > > > > > front...@tc.edu.tw > > > > > > > > > -----------------------------------------------------------------------> > > > > > VoIP : 070-910-2450 > > > > > > > > > -----------------------------------------------------------------------> > > > > > > > > > > > > > > > > > > -- > > > > > > > -----------------------------------------------------------------------> > > > We do this not because it is easy. We do this because it is hard. > > > > -----------------------------------------------------------------------> > > > ShengChe Hsiao > > > > -----------------------------------------------------------------------> > > > front...@gmail.com > > > front...@tc.edu.tw > > > > -----------------------------------------------------------------------> > > > VoIP : 070-910-2450 > > > > -----------------------------------------------------------------------> > > > > > > > > -- > > -----------------------------------------------------------------------> > We do this not because it is easy. We do this because it is hard. > -----------------------------------------------------------------------> > ShengChe Hsiao > -----------------------------------------------------------------------> > front...@gmail.com > front...@tc.edu.tw > -----------------------------------------------------------------------> > VoIP : 070-910-2450 > -----------------------------------------------------------------------> >
