Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

validateQueryParameterNames may allow reflected XSS in older browsers #785

Closed
ElectricNroff opened this issue Jul 19, 2022 · 1 comment · Fixed by #922
Closed

validateQueryParameterNames may allow reflected XSS in older browsers #785

ElectricNroff opened this issue Jul 19, 2022 · 1 comment · Fixed by #922
Assignees
@jdaigneau5

Comments

@ElectricNroff
Copy link
Contributor

cve-services/src/middleware/middleware.js

Lines 222 to 225 in 7f68351

function validateQueryParameterNames (queryParamNames, validNames) {
Object.keys(queryParamNames).forEach(k => {
if (!validNames.includes(k)) {
throw new Error(`'${k}' is not a valid parameter name.`)

has a potential XSS vulnerability that is easier to exploit than the similar #697 issue, mainly because a forward slash character is easily sent, e.g.,

curl http://127.1:3000/api/cve\?\<script\>alert\(document.domain\)\</script\>=.html

{"error":"BAD_INPUT","message":"Parameters were invalid","details":[{"msg":"'<script>alert(document.domain)</script>' is not a valid parameter name.","param":"","location":"query"}]}

The code to reflect back any /api/cve parameter name (with an arbitrary payload) was added in 65652b5 on 2022-07-15.
Admittedly, the response comes with HTTP headers that may block exploitation except in older Internet Explorer, etc. (see #697 for details).

X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Type: application/json; charset=utf-8
@jdaigneau5
Copy link
Collaborator

Use same filter replace message as #697

@jdaigneau5 jdaigneau5 self-assigned this Nov 17, 2022
jdaigneau5 added a commit that referenced this issue Nov 17, 2022
@jdaigneau5
#785 Added parameter sanitization for invalid query params to prevent…
36a0f88 
… XSS reflection
jdaigneau5 added a commit that referenced this issue Nov 17, 2022
@jdaigneau5
#785 cleaned up validateQueryParameterNames error message
1dbd725
@jdaigneau5 jdaigneau5 linked a pull request Nov 17, 2022 that will close this issue
Resolves #785 Remove disallowed characters in query parameter names to prevent XSS reflection #922
Merged
slubar added a commit that referenced this issue Nov 18, 2022
@slubar
Merge pull request #922 from CVEProject/jd-785
6b61004 
Resolves #785 Remove disallowed characters in query parameter names to prevent XSS reflection
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jdaigneau5 jdaigneau5

Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@jdaigneau5 @ElectricNroff