Cross Site Scripting Vulnerability #1267
Description
Description
XSS vulnerability exists in the default error response when running AMBER in DEV environment.
Steps to Reproduce
When running amber in the default DEV environment, the application is vulnerable to XSS.
It is quite hard to notice because most browsers might be mitigating/filtering the issue. So you cannot really see it in the browser.
I replicated it sniffing the traffic (wireshark) and just running a plaintext request from the command line. Also, it can be seen in burp suite, but once you load the request to browser, it will fix the html code.
How to replicate:
Just run a regular app in dev environment (in this case, port 3000)
From command line:
nc localhost 3000
Then paste the following request:
GET /</title>
HELLO
HTTP/1.0Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Accept: text/html
NOTE: Looks like the request format is changed when displayed here in github - see attached screenshot for the original request.
You will see the response has multiple </title> - non-escaped code (reflected xss) like this:
...
HELLO
- The request was not found. GET - /</title>HELLO
</title>As I said, it cannot be seen from browser - some dynamic escaping occurs. Risk is low, but I guess it is worth checking - vulnerable code might be present in other parts of the framework.
Expected behavior: [What you expect to happen]
HTML input should be escaped.
Actual behavior: [What actually happens]
Reproduces how often: [What percentage of the time does it reproduce?]
All the time
Versions
Amber CLI (amberframework.org) - v1.0.0rc2
Additional Information
