Server side meta tag rendering with url and querystring cause xss issue

RESOLVED DUPLICATE of bug 528661

Status

()

defect
RESOLVED DUPLICATE of bug 528661
3 years ago
3 years ago

People

(Reporter: mauricioskateboard, Unassigned, NeedInfo)

Tracking

47 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36

Steps to reproduce:

I got a project with a problem to solve and i figured out that the another developer was rendering meta tags with urls and in these url contains also query string parameters, when a put query string like these

?mesAno=abril202014&teste/?43b2a%22%25%27%3E%3Cscript%3Ealert(document.cookie)%3C/script%3EEff8f6=1%22/%3E%3Cmeta%20name=%22viewport%22%20content=%22width=device-width,%20initial-scale=1.0%22%20/%3E

?mesAno=abril202014&teste/?43b2a%22%3E%3Cscript%3Ealert(%22TESTE+XSS%22)%3C/script%3Eff8f6=ff8f6=

?mesAno=abril202014&teste/?43b2a"><script>alert("TESTE+XSS")</script>ff8f6=ff8f6=1"/><


This issue is ocurring on Mozilla Firefox and Mozilla Firefox developer edition

The version is in attachments.

Thanks

Mauricio



Actual results:

Both Mozilla browsers execute the script in the DOM


Expected results:

not execute the script in the DOM

Comment 1

3 years ago
Why is this a bug in Firefox? Does it not happen in other browsers? Can you provide a link where this happens? It clearly doesn't happen on just any website, as:

https://www.google.co.uk/?mesAno=abril202014&teste/?43b2a%22%25%27%3E%3Cscript%3Ealert(document.cookie)%3C/script%3EEff8f6=1%22/%3E%3Cmeta%20name=%22viewport%22%20content=%22width=device-width,%20initial-scale=1.0%22%20/%3E

doesn't have this problem.

Based on the URL, this looks like an XSS bug in a particular website rather than an actual issue with Firefox.
Flags: needinfo?(mauricioskateboard)
This is an XSS bug in the site in question, and should be fixed in that site. Some browsers attempt to filter xss attempts when sent as parameters in a URL but a site should not rely on it:
 * they don't catch all parameter-based XSS (and different browsers miss different things)
 * there are other, non-parameter, types of XSS that won't be filtered
 * not all browsers support such a feature

Firefox _does_ support Content Security Policy, a HTTP-header based tool that helps fight XSS when used in its default strict mode. Similar caveats about not being supported in all browsers, but it's a standard and is supported in more modern browsers than reflected-XSS filtering. 

We have an enhancement request to build such a feature but are not currently working on it (bug 528661).
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: xssfilter
(Reporter)

Comment 4

3 years ago
My team has a solution, but this bug occour beacause the html rendered by serverside include the querystring parameter.
(Reporter)

Comment 5

3 years ago
We will deploy a package to fix the server side rendering, we render html via server side in this case and firefox and firefox developer edition include the script in head tag
(Reporter)

Comment 6

3 years ago
The others browser doesn't happen including brave.

Brave has a similar behavior but not execute the javascript
(Reporter)

Comment 7

3 years ago
If my Team fix by our side, i will post an nodejs application reproducing it, thanks
(Reporter)

Comment 8

3 years ago
My team alredy fixed it, i will post on git a project to reproduce this issue
(Reporter)

Comment 9

3 years ago
I've tried to reproduce with nodejs but looks like only occour in nodejs

https://github.com/mauricionr/xss-test/blob/master/index.js
You need to log in before you can comment on or make changes to this bug.