Closed Bug 1288175 Opened 6 years ago Closed 6 years ago

Server side meta tag rendering with url and querystring cause xss issue

Categories

(Firefox :: Untriaged, defect)

47 Branch
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 528661

People

(Reporter: mauricioskateboard, Unassigned, NeedInfo)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36

Steps to reproduce:

I got a project with a problem to solve and i figured out that the another developer was rendering meta tags with urls and in these url contains also query string parameters, when a put query string like these

?mesAno=abril202014&teste/?43b2a%22%25%27%3E%3Cscript%3Ealert(document.cookie)%3C/script%3EEff8f6=1%22/%3E%3Cmeta%20name=%22viewport%22%20content=%22width=device-width,%20initial-scale=1.0%22%20/%3E

?mesAno=abril202014&teste/?43b2a%22%3E%3Cscript%3Ealert(%22TESTE+XSS%22)%3C/script%3Eff8f6=ff8f6=

?mesAno=abril202014&teste/?43b2a"><script>alert("TESTE+XSS")</script>ff8f6=ff8f6=1"/><


This issue is ocurring on Mozilla Firefox and Mozilla Firefox developer edition

The version is in attachments.

Thanks

Mauricio



Actual results:

Both Mozilla browsers execute the script in the DOM


Expected results:

not execute the script in the DOM
Why is this a bug in Firefox? Does it not happen in other browsers? Can you provide a link where this happens? It clearly doesn't happen on just any website, as:

https://www.google.co.uk/?mesAno=abril202014&teste/?43b2a%22%25%27%3E%3Cscript%3Ealert(document.cookie)%3C/script%3EEff8f6=1%22/%3E%3Cmeta%20name=%22viewport%22%20content=%22width=device-width,%20initial-scale=1.0%22%20/%3E

doesn't have this problem.

Based on the URL, this looks like an XSS bug in a particular website rather than an actual issue with Firefox.
Flags: needinfo?(mauricioskateboard)
This is an XSS bug in the site in question, and should be fixed in that site. Some browsers attempt to filter xss attempts when sent as parameters in a URL but a site should not rely on it:
 * they don't catch all parameter-based XSS (and different browsers miss different things)
 * there are other, non-parameter, types of XSS that won't be filtered
 * not all browsers support such a feature

Firefox _does_ support Content Security Policy, a HTTP-header based tool that helps fight XSS when used in its default strict mode. Similar caveats about not being supported in all browsers, but it's a standard and is supported in more modern browsers than reflected-XSS filtering. 

We have an enhancement request to build such a feature but are not currently working on it (bug 528661).
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: xssfilter
My team has a solution, but this bug occour beacause the html rendered by serverside include the querystring parameter.
We will deploy a package to fix the server side rendering, we render html via server side in this case and firefox and firefox developer edition include the script in head tag
The others browser doesn't happen including brave.

Brave has a similar behavior but not execute the javascript
If my Team fix by our side, i will post an nodejs application reproducing it, thanks
My team alredy fixed it, i will post on git a project to reproduce this issue
I've tried to reproduce with nodejs but looks like only occour in nodejs

https://github.com/mauricionr/xss-test/blob/master/index.js
You need to log in before you can comment on or make changes to this bug.