Closed
Bug 1288175
Opened 9 years ago
Closed 9 years ago
Server side meta tag rendering with url and querystring cause xss issue
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 528661
People
(Reporter: mauricioskateboard, Unassigned, NeedInfo)
Details
Attachments
(1 file)
|
9.18 KB,
image/png
|
Details |
xssissueonmozillawithserversiderendering.png
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36
Steps to reproduce:
I got a project with a problem to solve and i figured out that the another developer was rendering meta tags with urls and in these url contains also query string parameters, when a put query string like these
?mesAno=abril202014&teste/?43b2a%22%25%27%3E%3Cscript%3Ealert(document.cookie)%3C/script%3EEff8f6=1%22/%3E%3Cmeta%20name=%22viewport%22%20content=%22width=device-width,%20initial-scale=1.0%22%20/%3E
?mesAno=abril202014&teste/?43b2a%22%3E%3Cscript%3Ealert(%22TESTE+XSS%22)%3C/script%3Eff8f6=ff8f6=
?mesAno=abril202014&teste/?43b2a"><script>alert("TESTE+XSS")</script>ff8f6=ff8f6=1"/><
This issue is ocurring on Mozilla Firefox and Mozilla Firefox developer edition
The version is in attachments.
Thanks
Mauricio
Actual results:
Both Mozilla browsers execute the script in the DOM
Expected results:
not execute the script in the DOM
|
||
Comment 1•9 years ago
|
||
Why is this a bug in Firefox? Does it not happen in other browsers? Can you provide a link where this happens? It clearly doesn't happen on just any website, as:
https://www.google.co.uk/?mesAno=abril202014&teste/?43b2a%22%25%27%3E%3Cscript%3Ealert(document.cookie)%3C/script%3EEff8f6=1%22/%3E%3Cmeta%20name=%22viewport%22%20content=%22width=device-width,%20initial-scale=1.0%22%20/%3E
doesn't have this problem.
Based on the URL, this looks like an XSS bug in a particular website rather than an actual issue with Firefox.
Flags: needinfo?(mauricioskateboard)
|
||
Comment 2•9 years ago
|
||
This is an XSS bug in the site in question, and should be fixed in that site. Some browsers attempt to filter xss attempts when sent as parameters in a URL but a site should not rely on it:
* they don't catch all parameter-based XSS (and different browsers miss different things)
* there are other, non-parameter, types of XSS that won't be filtered
* not all browsers support such a feature
Firefox _does_ support Content Security Policy, a HTTP-header based tool that helps fight XSS when used in its default strict mode. Similar caveats about not being supported in all browsers, but it's a standard and is supported in more modern browsers than reflected-XSS filtering.
We have an enhancement request to build such a feature but are not currently working on it (bug 528661).
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
|
Reporter | |
Comment 3•9 years ago
|
||
|
|
Reporter | |
Comment 4•9 years ago
|
||
My team has a solution, but this bug occour beacause the html rendered by serverside include the querystring parameter.
|
|
Reporter | |
Comment 5•9 years ago
|
||
We will deploy a package to fix the server side rendering, we render html via server side in this case and firefox and firefox developer edition include the script in head tag
|
|
Reporter | |
Comment 6•9 years ago
|
||
The others browser doesn't happen including brave.
Brave has a similar behavior but not execute the javascript
|
|
Reporter | |
Comment 7•9 years ago
|
||
If my Team fix by our side, i will post an nodejs application reproducing it, thanks
|
|
Reporter | |
Comment 8•9 years ago
|
||
My team alredy fixed it, i will post on git a project to reproduce this issue
|
|
Reporter | |
Comment 9•9 years ago
|
||
I've tried to reproduce with nodejs but looks like only occour in nodejs
https://github.com/mauricionr/xss-test/blob/master/index.js
You need to log in
before you can comment on or make changes to this bug.
Description
•