You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Enable the webserver: webserver("127.0.0.1:8083", "supersecret")
Navigate to this URL: http://127.0.0.1:8083/?callback=%22%3E%3Cscript/src=data:,alert("evilcorp()")%26sol;%26sol;
Expected result
The callback query string is sanitized. Actual result
The Javascript submitted with the callback parameter is injected in the resulting page and executed in the users browser.
The text was updated successfully, but these errors were encountered:
- Remove the jsonp callback, using simple json data instead (FixesPowerDNS#3217)
We might need to add CORS if we want to be able to retrieve JSON
data from a webpage not stored on the embedded web server.
- Add several HTTP headers:
* X-Content-Type-Options: no-sniff to prevent browsers from guessing MIME type
* X-Frame-Options: deny to prevent clickjacking
* X-Permitted-Cross-Domain-Policies: none to keep flash from crossing boundaries
* X-XSS-Protection: 1; mode=block to mitigate XSS
* Content-Security-Policy: default-src 'self'; img-src *; style-src 'self' 'unsafe-inline',
a basic CSP policy to restrict which scripts and CSS can be loaded
- Remove the jsonp callback, using simple json data instead (FixesPowerDNS#3217)
We might need to add CORS if we want to be able to retrieve JSON
data from a webpage not stored on the embedded web server.
- Add several HTTP headers:
* X-Content-Type-Options: no-sniff to prevent browsers from guessing MIME type
* X-Frame-Options: deny to prevent clickjacking
* X-Permitted-Cross-Domain-Policies: none to keep flash from crossing boundaries
* X-XSS-Protection: 1; mode=block to mitigate XSS
* Content-Security-Policy: default-src 'self'; img-src *; style-src 'self' 'unsafe-inline',
a basic CSP policy to restrict which scripts and CSS can be loaded
Steps to reproduce
webserver("127.0.0.1:8083", "supersecret")
http://127.0.0.1:8083/?callback=%22%3E%3Cscript/src=data:,alert("evilcorp()")%26sol;%26sol;
Expected result
The
callback
query string is sanitized.Actual result
The Javascript submitted with the
callback
parameter is injected in the resulting page and executed in the users browser.The text was updated successfully, but these errors were encountered: