0

zkau Cross Site Scripting (XSS) F5 firewall

asked 2021-01-26 02:00:36 +0800

jstz gravatar image jstz
1

updated 2021-01-26 11:03:01 +0800

cor3000 gravatar image cor3000
6280 2 7

Hi:

I've a problem with a call to upload files with zk 8.0.2.2 behind of F5 firewall, cause these call is ranking like a security violation:

Requested URL   [HTTPS] /[CONTEXT]/zkau
Security Policy /Common/POLICY_PCI
Virtual Server  /Common/TPVS_TEST_2019 
Request Status  Blocked 

Decoded Request <br>
POST /[CONTEXT]/zkau HTTP/1.1 <br>
Host: [URL] <br>
Connection: keep-alive <br>
Content-Length: 337 <br>
sec-ch-ua: "Google Chrome";v="87", " Not;A Brand";v="99", "Chromium";v="87" <br>
sec-ch-ua-mobile: ?0 <br>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 <br>
ZK-SID: 808 <br>
Content-Type: application/x-www-form-urlencoded;charset=UTF-8 <br>
Accept: */* <br>
Origin: https://[URL] <br>
Sec-Fetch-Site: same-origin <br>
Sec-Fetch-Mode: cors <br>
Sec-Fetch-Dest: empty <br>
Referer: https://[URL]/[CONTEXT]/[ZUL_PAGE].zul
Accept-Language: es-419,es;q=0.9
Cookie: JSESSIONID=23C26F76E36EA5F1A01C6428256AA42A; TS01d356d8=01037d2fb315cac4ce1e381dc75b97aa91631a14eed1f1bf062671439ab6eb311321cf929524a8e88a80a2c4a90e62eeb1ec89b1df429b2e737b8751213a5d26db1b8c7fb2; TS01038a28=01037d2fb3d792fc05ba4c32dd732b4a0312b54f64675106a38e3bada913cf058111af1bfefed111501f2238c1fdab84826bcff531

dtid=z_ppm&cmd_0=onAnchorPos&uuid_0=wXBQn&data_0={"top":128,"left":0}&cmd_1=onSelect&uuid_1=wXBQn&data_1={"items":["wXBQ_2"],"reference":"wXBQ_2","clearFirst":false,"selectAll":false,"pageX":207,"pageY":293,"which":1,"x":149,"y":174}

Violation Details <br>
Attack signature detected [1] <br>
Detected Keyword    cmd_1=onSelect <br>
Attack Signature    ID200000 <br>
Name                    onselect... (Parameter) <br>
Context             Parameter (detected in Form Data) <br>
Parameter Level         Global <br>
Actual Parameter Name   cmd_1 <br>
Wildcard Parameter Name * <br>
Parameter Value     onSelect

can you help me?

delete flag offensive retag edit

Comments

Hi:

Thank you, the violation details are:

Violation Details

Attack signature detected [1]

Detected Keyword: cmd_1=onSelect

Attack Signature: ID 200001034 Name onselect... (Parameter) Context: Parameter (detected in Form Data) Actual Parameter Name: cmd_1 Wildcard Parameter Name: *

jstz ( 2021-01-27 04:07:25 +0800 )edit

Parameter Value: onSelect Applied Blocking Settings: Block Alarm Learn

The violation occurs where I try to choose a file to upload to the server.

jstz ( 2021-01-27 04:10:48 +0800 )edit

Thank you for your comments.

One additional question, the parameters cmd0, cmd1, etc, always been used, that is, in previous versions?

Thank you so much.

jstz ( 2021-02-03 03:32:26 +0800 )edit

yes as long as I've been working with ZK (~8years) this was the case, I think at least since ZK 5, e.g. you can verify that live on https://zkfiddle.org/ down to version 6.5.8.1

cor3000 ( 2021-02-03 09:26:35 +0800 )edit

here the related source in case you want need proof for your security guys https://github.com/zkoss/zk/blame/816ef760377f33d245d0b401e8593881b071af7b/zk/src/archive/web/js/zk/au.js

cor3000 ( 2021-02-03 09:28:50 +0800 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2021-01-27 10:10:24 +0800

cor3000 gravatar image cor3000
6280 2 7

Detected Keyword: cmd_1=onSelect

Attack Signature: ID 200001034 Name onselect... (Parameter) Context: Parameter (detected in Form Data) Actual Parameter Name: cmd_1 Wildcard Parameter Name: *

If that's the parameter the firewall is complaining about -> then you'll have to disable rule, or add an exception for the parameters needed by ZK. ZK's AU Engine needs a variable number of request parameter, sequenced like cmd_0, cmd_1, cmd_2 ... (also data_X and uuid_X) to allow multiple events to be sent within a single request to the server.

There's no way to disable/change this easily. You have to allow this in your firewall.

An alternative could be to switch to websockets.

link publish delete flag offensive edit
0

answered 2021-01-26 11:16:12 +0800

cor3000 gravatar image cor3000
6280 2 7

updated 2021-01-26 11:18:21 +0800

Btw your request doesn't indicate any file upload operation.

The request looks correct from a ZK perspective, the onSelect event is a valid event for a component like a combobox or listbox.

I can't comment on the F5 Firewall, I assume it needs some configuration. however the Attack Signature ID200000 didn't give me any search results so I can't comment on that.

link publish delete flag offensive edit
Your answer
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools

Follow
1 follower

RSS

Stats

Asked: 2021-01-26 02:00:36 +0800

Seen: 15 times

Last updated: Jan 27 '21

Related questions

/zkau not loading with spring security 4

auEngine threw exception: org.zkoss.zk.ui.DesktopUnavailableException: Unable to activate destroyed desktop

prevent zkau to get value from textbox

Insufficient Resourses in Google Chrome

About Us | Faq | Help | Privacy Policy | Contact Us
Copyright Potix Corporation 2015.
Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More