TL;DR In general wicket app should do server side validation and if client submits a valid query then it might not be a problem, or you need to add validation.
Does this ring a bell? ** Martin ti 8. marrask. 2022 klo 6.03 Jonathan P. Babie (jba...@osc.ny.gov.invalid) kirjoitti: > Hello, > > Our Wicket web application went through an app scan. We understand most > problems that came back from the report and have solutions, but one that's > troubling us is: > > Blind XPath Injection > Severity: Medium > CVSS Score: 6.4 > Entity: regionFormGroup:regionFormGroup_body:regionTextField (Parameter) > Risk: It is possible to access information stored in a sensitive data > resource > Cause: Sanitation of hazardous characters was not performed correctly on > user input > Fix: Review possible solutions for hazardous character injection > Difference: > Parameter regionFormGroup:regionFormGroup_body:regionTextField manipulated > from: b to: b%27+and+last%28%29%3Dlast%28%29+or+%27 > Parameter regionFormGroup:regionFormGroup_body:regionTextField manipulated > from: b to: b%27+and+not%28last%28%29%29%3Dlast%28%29+or%27 > Parameter regionFormGroup:regionFormGroup_body:regionTextField manipulated > from: b to: b%27+and+position%28%29%3Dposition%28%29+or+%27 > Reasoning: The test result seems to indicate a vulnerability because it > shows that values can be appended to parameter values, indicating that they > were embedded in an Xpath query. In this test, four (or sometimes five) > requests are sent. One of the last two should be logically equal to the > original, and the request before that is different, and should yield empty > result or error. Any others are for control purposes. A comparison between > the responses of the equivalent requests, and those that are not equivalent > with the first (the equivalent options are similar to it, and the erroneous > one is different) indicates that the application is vulnerable. > > Test Requests and Responses: > POST > /lgmm/1EFGhfMAxecfRmNOJXeaL4DEM0H-EW58EQqlsCvFg2CrIQQFX7A73Gb1jkQR1RVAgGv-Ar-xgDmvL9rYCjIxJyUCSoIcSK57hbnGyvGyXBMLG_P37gUxG-gvskBCrGmZDb7eWl9v5shigfUuZPG54Nckxrw3uEsF01z1jdgTzDjsiYMQe_Wp04lViFNHIjn9LpPw9tg8gq5DRvPE2MTYlx82jMU_2xmlJJMYGoOTwwKnJRA94d_aqyTlatMrDzSr/1EFf1/rGm57 > HTTP/1.1 > Host: example.domain.com > Connection: keep-alive > sec-ch-ua: "Chromium";v="106", "Google Chrome";v="106", > "Not;A=Brand";v="99" > sec-ch-ua-mobile: ?0 > Wicket-FocusedElementId: id87 > User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 > Content-Type: application/x-www-form-urlencoded; charset=UTF-8 > Accept: application/xml, text/xml, */*; q=0.01 > Wicket-Ajax-BaseURL: > 1EFGhfMAxecfRmNOJXeaL4DEM0H-EW58EQqlsCvFg2CrIQQFX7A73Gb1jkQR1RVAgGv-Ar-xgDmvL9rYCjIxJyUCSoIcSK57hbnGyvGyXBMLG_P37gUxG-gvskBCrGmZmajvnhPJ2o8/1EFf1/-gvdb > X-Requested-With: XMLHttpRequest > Wicket-Ajax: true > sec-ch-ua-platform: "Windows" > Origin: https://example.domain.com > Sec-Fetch-Site: same-origin > Sec-Fetch-Mode: cors > Sec-Fetch-Dest: empty > Referer: > https://example.domain.com/lgmm/1EFGhfMAxecfRmNOJXeaL4DEM0H-EW58EQqlsCvFg2CrIQQFX7A73Gb1jkQR1RVAgGv-Ar-xgDmvL9rYCjIxJyUCSoIcSK57hbnGyvGyXBMLG_P37gUxG-gvskBCrGmZmajvnhPJ2o8/1EFf1/-gvdb > Accept-Language > <https://example.domain.com/lgmm/1EFGhfMAxecfRmNOJXeaL4DEM0H-EW58EQqlsCvFg2CrIQQFX7A73Gb1jkQR1RVAgGv-Ar-xgDmvL9rYCjIxJyUCSoIcSK57hbnGyvGyXBMLG_P37gUxG-gvskBCrGmZmajvnhPJ2o8/1EFf1/-gvdbAccept-Language>: > en-US > Content-Length: 58 > > regionFormGroup%3AregionFormGroup_body%3AregionTextField=b > > HTTP/1.1 200 OK > Date: Fri, 28 Oct 2022 01:26:27 GMT > X-Powered-By: Servlet/3.1 > Expires: Thu, 01 Jan 1970 00:00:00 GMT > Pragma: no-cache > Cache-Control: no-cache, no-store > Ajax-Location: > ../../1EFGhfMAxecfRmNOJXeaL4DEM0H-EW58EQqlsCvFg2CrIQQFX7A73Gb1jkQR1RVAgGv-Ar-xgDmvL9rYCjIxJyUCSoIcSK57hbnGyvGyXBMLG_P37gUxG-gvskBCrGmZGxUSqIGs5Tb2rcQ5fnAdfw/1EFf1/rYC7b > Keep-Alive: timeout=5, max=94 > Connection: Keep-Alive > Transfer-Encoding: chunked > Content-Type: text/xml;charset=UTF-8 > Content-Language: en-US > X-Frame-Options: SAMEORIGIN > Strict-Transport-Security: max-age=31536000; preload > <ajax-response> > > > <redirect><![CDATA[../../1EFGhfMAxecfRmNOJXeaL4DEM0H-EW58EQqlsCvFg2CrIQQFX7A73Gb1jkQR1RVAgGv-Ar-xgDmvL9rYCjIxJyUCSoIcSK57hbnGyvGyXBMLG_P37gUxG-gvskBCrGmZGxUSqIGs5Tb2rcQ5fnAdfw/1EFf1/rYC7b]]></redirec > ... > ... > ... > Content-Length: 96 > > > regionFormGroup%3AregionFormGroup_body%3AregionTextField=b%27+and+last%28%29%3Dlast%28%29+or+%27 > > HTTP/1.1 200 OK > Date: Fri, 28 Oct 2022 01:26:27 GMT > X-Powered-By: Servlet/3.1 > ... > ... > ... > Content-Length: 104 > > > regionFormGroup%3AregionFormGroup_body%3AregionTextField=b%27+and+not%28last%28%29%29%3Dlast%28%29+or%27 > > HTTP/1.1 200 OK > Date: Fri, 28 Oct 2022 01:26:27 GMT > X-Powered-By: Servlet/3.1 > ... > ... > ... > Content-Length: 104 > > > regionFormGroup%3AregionFormGroup_body%3AregionTextField=b%27+and+position%28%29%3Dposition%28%29+or+%27 > > HTTP/1.1 200 OK > Date: Fri, 28 Oct 2022 01:26:27 GMT > X-Powered-By: Servlet/3.1 > > > We're having a hard time understanding what's even happening here or if > it's a threat, but essentially we have a very simple Panel with a TextField > that drives a DataTable via ajax, and it appears that somehow the app scan > is manipulating the TextField with a POST and sending garbage data. > > Unfortunately we don't have any context aside from this report. > > We were hoping you might help us understand the problem, and let us know > if this is something we can/should configure in the Wicket framework. Since > this is a Medium severity, we are being told that this has to be dealt with. > > Any information to guide us would be greatly appreciated. > > Thank you, > > > Jonathan Babie > > Java Applications Developer > > Work: (838) 910-4274 > > Notice: This communication, including any attachments, is intended solely > for the use of the individual or entity to which it is addressed. This > communication may contain information that is protected from disclosure > under State and/or Federal law. Please notify the sender immediately if you > have received this communication in error and delete this email from your > system. If you are not the intended recipient, you are requested not to > disclose, copy, distribute or take any action in reliance on the contents > of this information. >