Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS in the RequestLoggerMiddleware.cs #3279

Closed
JameelNabbo opened this issue May 21, 2019 · 4 comments

Comments

Projects
None yet
3 participants
@JameelNabbo
Copy link

commented May 21, 2019

Hi,
https://github.com/IdentityServer/IdentityServer4/blob/master/src/IdentityServer4/host/Extensions/RequestLoggerMiddleware.cs

in the LogForErrorContext method the PARAM httpContext is not filtred, and can be injected with XSS payload onerror="alert(String.fromCharCode(88,83,83)) in which can be triggred from the log as well.
static ILogger LogForErrorContext(HttpContext httpContext)
{
var request = httpContext.Request;

        var result = Log
            .ForContext("RequestHeaders", request.Headers.ToDictionary(h => h.Key, h => h.Value.ToString()), destructureObjects: true)
            .ForContext("RequestHost", request.Host)
            .ForContext("RequestProtocol", request.Protocol);

        if (request.HasFormContentType)
            result = result.ForContext("RequestForm", request.Form.ToDictionary(v => v.Key, v => v.Value.ToString()));

        return result;
    }
@leastprivilege

This comment has been minimized.

Copy link
Member

commented May 22, 2019

XSS is very context specific. What you describe above would e.g. not do any harm in a console output (and we cannot know how you plan to output your log files).

IOW - you protect yourself against XSS with output encoding, not input sanitization.

As a side note - this logger is only part of our test host. Not IdentityServer.

@leastprivilege

This comment has been minimized.

Copy link
Member

commented May 22, 2019

@scottbrady91

This comment has been minimized.

Copy link
Member

commented May 22, 2019

Quick heads up, there are guidelines in place for reporting security issues: https://github.com/IdentityServer/IdentityServer4/blob/master/SECURITY.MD

@leastprivilege

This comment has been minimized.

Copy link
Member

commented May 24, 2019

@JameelNabbo I contacted CVE to take the entry down, as it is obviously not a security problem. If you are the author please do the same.

For the "security researcher" I have advice for the future

  • do better research
  • learn about "responsible disclosure"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.