validateJsonSyntax may allow reflected XSS in older browsers

[ElectricNroff]

cve-services/src/middleware/middleware.js

Lines 284 to 287 in 8a76dc9

	} else if (err.status === 400) {
	console.warn('Request failed validation because JSON syntax is incorrect')
	console.info((JSON.stringify(err)))
	return res.status(400).json(error.invalidJsonSyntax(err.message))

can produce Express "Failed to decode param" errors in some situations that didn't have this outcome in CVE Services 1.1.1. This might be a realistic risk for older browsers such as Internet Explorer, in which XSS might be achievable by an attacker who does not have the ability to embed an XSS payload inside a CVE Record.

For example, inserting a '%' character after a valid route has this behavior in recent dev versions:

% curl https://cveawg-test.mitre.org/api/cve/%abc
{"error":"INVALID_JSON_SYNTAX","message":"Failed to decode param '%abc'"}

whereas there was no reflected content in CVE Services 1.1.1:

% curl https://cveawg.mitre.org/api/cve/%abc
{"error":"SERVICE_NOT_AVAILABLE","message":"This service appears to not be available."}

The behavior is better demonstrated by testing locally, which removes the complication of an AWS-maintained Web Application Firewall that, in general, may be able to block some but not all attacks.

% curl http://localhost:3000/api/cve/%\<SCRIPT\>alert\(document.domain\)\<.html
{"error":"INVALID_JSON_SYNTAX","message":"Failed to decode param '%<SCRIPT>alert(document.domain)<.html'"}

The response has various headers that may make exploitation impractical in most web browsers:

X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Type: application/json; charset=utf-8

However, https://www.adico.me/post/json-based-xss-exploitation states that Internet Explorer (possibly version 9 and earlier) ignores the application/json Content-Type in some situations involving URLs with .html at the end, and behaves as if the Content-Type were text/html.

If a fix for this is desired, one possibility is to change src/middleware/middleware.js so that

      return res.status(400).json(error.invalidJsonSyntax(err.message))

is replaced by

      let filteredMessage = err.message
      if (filteredMessage.includes('Failed to decode param')) {
        filteredMessage = filteredMessage.replace(/[^A-Z0-9_ -]+/gi,'')
      }
      return res.status(400).json(error.invalidJsonSyntax(filteredMessage))

With this change, the request/response would be:

% curl http://localhost:3000/api/cve/%\<SCRIPT\>alert\(document.domain\)\<.html
{"error":"INVALID_JSON_SYNTAX","message":"Failed to decode param SCRIPTalertdocumentdomainhtml"}