You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@wicket.apache.org by Samu Viitanen <za...@hotmail.com> on 2016/05/16 11:02:30 UTC

Append to POST parameters from URL onError

Hello Wicket Users,

I am a relatively new developer working with wicket. I have come across a strange feature that could cause problems in my project. When I submit a form that has validation errors and intercept the resulting POST request, I can insert query parameters in the URL. These query parameter values will then be appended after the original POST parameter.

Example:

/foo/fooAdmin?7-1.IBehaviorListener.0-admintabs-panel-wrapperform-tabbedpanel-panel-infoform-infosubmit&wicket-ajax=true&wicket-ajax-baseurl=fooAdmin%3F

Will result in validation error. The request has POST parameters:
tabbedpanel:panel:infoform:foo=This is not empty
tabbedpanel:panel:infoform:bar=                 <- this field is required but empty in request
tabbedpanel:panel:infoform:zoo=                 <- this field is not required but empty in request

I intercept the request with BurpSuite and modify the request:

/foo/fooAdmin?7-1.IBehaviorListener.0-admintabs-panel-wrapperform-tabbedpanel-panel-infoform-infosubmit&wicket-ajax=true&wicket-ajax-baseurl=fooAdmin%3F&tabbedpanel:panel:infoform:zoo=Haxor

Results in error with TextField values:
foo=This is not empty
bar=                            <- Error
zoo=;Haxor

This behaviour obviously does not directly save anything, but if the user does not notice that a Text Field value has changed, he might save something that he did not intend to. NOTE: The inserted value does not replace the original value of the field, it just appends the new value to the original value in the POSTDATA. (zoo=Value -> zoo=Value;Haxor after attack)

So I guess my question is: Is this intended? If so, is there a way around this or do I have to live with it?

Thank you for your replies

Samu Viitanen

Re: Append to POST parameters from URL onError

Posted by Samu Viitanen <za...@hotmail.com>.

What I mean is that if by some way a hacker snatches my POST request and the POSTDATA is encrypted, they could still insert malicious data to the form from URL if the form fields contain an error. The chances of an attack here are very slim but existent. I cannot use cryptomapper due to our implementation, I just wanted to know if it's intended that it's possible to append data to form fields from URL if the form goes to onError.

I am sorry if this still makes no sense.

Samu Viitanen

> On 19.5.2016, at 10.17, Martin Grigorov <mg...@apache.org> wrote:
> 
> Hi,
> 
> No one else answered your email and I guess they have the same problem as
> me - I don't really understand the problem you describe.
> 
> You submit some form. Then you _intercept_ the request somehow and you
> append some extra data. And finally your concern is that there is extra
> data.
> 
> What I don't understand is: are you describing a security issue ?
> If YES then use CRSF protection and/or CryptoMapper and/or custom token.
> 
> 
> 
> Martin Grigorov
> Wicket Training and Consulting
> https://twitter.com/mtgrigorov
> 
>> On Mon, May 16, 2016 at 1:02 PM, Samu Viitanen <za...@hotmail.com> wrote:
>> 
>> Hello Wicket Users,
>> 
>> I am a relatively new developer working with wicket. I have come across a
>> strange feature that could cause problems in my project. When I submit a
>> form that has validation errors and intercept the resulting POST request, I
>> can insert query parameters in the URL. These query parameter values will
>> then be appended after the original POST parameter.
>> 
>> Example:
>> 
>> 
>> /foo/fooAdmin?7-1.IBehaviorListener.0-admintabs-panel-wrapperform-tabbedpanel-panel-infoform-infosubmit&wicket-ajax=true&wicket-ajax-baseurl=fooAdmin%3F
>> 
>> Will result in validation error. The request has POST parameters:
>> tabbedpanel:panel:infoform:foo=This is not empty
>> tabbedpanel:panel:infoform:bar=                 <- this field is required
>> but empty in request
>> tabbedpanel:panel:infoform:zoo=                 <- this field is not
>> required but empty in request
>> 
>> I intercept the request with BurpSuite and modify the request:
>> 
>> 
>> /foo/fooAdmin?7-1.IBehaviorListener.0-admintabs-panel-wrapperform-tabbedpanel-panel-infoform-infosubmit&wicket-ajax=true&wicket-ajax-baseurl=fooAdmin%3F&tabbedpanel:panel:infoform:zoo=Haxor
>> 
>> Results in error with TextField values:
>> foo=This is not empty
>> bar=                            <- Error
>> zoo=;Haxor
>> 
>> This behaviour obviously does not directly save anything, but if the user
>> does not notice that a Text Field value has changed, he might save
>> something that he did not intend to. NOTE: The inserted value does not
>> replace the original value of the field, it just appends the new value to
>> the original value in the POSTDATA. (zoo=Value -> zoo=Value;Haxor after
>> attack)
>> 
>> So I guess my question is: Is this intended? If so, is there a way around
>> this or do I have to live with it?
>> 
>> Thank you for your replies
>> 
>> Samu Viitanen
>> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org

Re: Append to POST parameters from URL onError

Posted by Martin Grigorov <mg...@apache.org>.

Hi,

No one else answered your email and I guess they have the same problem as
me - I don't really understand the problem you describe.

You submit some form. Then you _intercept_ the request somehow and you
append some extra data. And finally your concern is that there is extra
data.

What I don't understand is: are you describing a security issue ?
If YES then use CRSF protection and/or CryptoMapper and/or custom token.



Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov

On Mon, May 16, 2016 at 1:02 PM, Samu Viitanen <za...@hotmail.com> wrote:

> Hello Wicket Users,
>
> I am a relatively new developer working with wicket. I have come across a
> strange feature that could cause problems in my project. When I submit a
> form that has validation errors and intercept the resulting POST request, I
> can insert query parameters in the URL. These query parameter values will
> then be appended after the original POST parameter.
>
> Example:
>
>
> /foo/fooAdmin?7-1.IBehaviorListener.0-admintabs-panel-wrapperform-tabbedpanel-panel-infoform-infosubmit&wicket-ajax=true&wicket-ajax-baseurl=fooAdmin%3F
>
> Will result in validation error. The request has POST parameters:
> tabbedpanel:panel:infoform:foo=This is not empty
> tabbedpanel:panel:infoform:bar=                 <- this field is required
> but empty in request
> tabbedpanel:panel:infoform:zoo=                 <- this field is not
> required but empty in request
>
> I intercept the request with BurpSuite and modify the request:
>
>
> /foo/fooAdmin?7-1.IBehaviorListener.0-admintabs-panel-wrapperform-tabbedpanel-panel-infoform-infosubmit&wicket-ajax=true&wicket-ajax-baseurl=fooAdmin%3F&tabbedpanel:panel:infoform:zoo=Haxor
>
> Results in error with TextField values:
> foo=This is not empty
> bar=                            <- Error
> zoo=;Haxor
>
> This behaviour obviously does not directly save anything, but if the user
> does not notice that a Text Field value has changed, he might save
> something that he did not intend to. NOTE: The inserted value does not
> replace the original value of the field, it just appends the new value to
> the original value in the POSTDATA. (zoo=Value -> zoo=Value;Haxor after
> attack)
>
> So I guess my question is: Is this intended? If so, is there a way around
> this or do I have to live with it?
>
> Thank you for your replies
>
> Samu Viitanen
>