Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cross Site Scripting Vulnerability #1267

Open
CarlosAndresRamirez opened this issue Jul 4, 2021 · 2 comments
Open

Cross Site Scripting Vulnerability #1267

CarlosAndresRamirez opened this issue Jul 4, 2021 · 2 comments
Labels
kind:bug

Comments

@CarlosAndresRamirez
Copy link

CarlosAndresRamirez commented Jul 4, 2021
edited

Description

XSS vulnerability exists in the default error response when running AMBER in DEV environment.

Steps to Reproduce

When running amber in the default DEV environment, the application is vulnerable to XSS.
It is quite hard to notice because most browsers might be mitigating/filtering the issue. So you cannot really see it in the browser.

I replicated it sniffing the traffic (wireshark) and just running a plaintext request from the command line. Also, it can be seen in burp suite, but once you load the request to browser, it will fix the html code.

How to replicate:
Just run a regular app in dev environment (in this case, port 3000)

From command line:
nc localhost 3000

Then paste the following request:

GET /</title>

HELLO

HTTP/1.0
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Accept: text/html

NOTE: Looks like the request format is changed when displayed here in github - see attached screenshot for the original request.

You will see the response has multiple </title> - non-escaped code (reflected xss) like this:
...

<title>Error 404 at GET /</title>

HELLO

- The request was not found. GET - /</title>

HELLO

</title>

As I said, it cannot be seen from browser - some dynamic escaping occurs. Risk is low, but I guess it is worth checking - vulnerable code might be present in other parts of the framework.

Expected behavior: [What you expect to happen]
HTML input should be escaped.

Actual behavior: [What actually happens]

Reproduces how often: [What percentage of the time does it reproduce?]
All the time

Versions

Amber CLI (amberframework.org) - v1.0.0rc2

Additional Information

amber-xss
@robacarp
Copy link
Member

robacarp commented Jul 6, 2021

Does this also exist when the app is not running in development mode?

@CarlosAndresRamirez
Copy link
Author

Turns out that the XSS vulnerability is in the "template" used to display errors when in development mode. As this is not enabled in production, it cannot be triggered.

However, I think the real problem is that Amber by default is not escaping input.
Shouldn't it escape input parameters by default, just as rails and all other frameworks?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind:bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@robacarp @CarlosAndresRamirez @crimson-knight