I would have expected that such special character within the URL are treated by Jetty. Tomcat behaves as expected:
IllegalArgumentException: Invalid character found in the request target [/cgi-bin/<script>xss-test</script>.asp].
The valid characters are defined in RFC 7230 and RFC 3986
Hi,
our security team reported an issue with our Hawkbit instance:
Request:
POST to /cgi-bin/<script>xss-test<script>.asp
Response:
{"timestamp":"2021-01-11T07:18:10.650+0000","status":404,"error":"Not Found","message":"Not Found","path":"/cgi-bin/<script>xss-test</script>.asp"}
I was able to reproduce this behavior on your sandbox instance. Btw. for GET requests the path is not returned.
Could you please provide a fix or a workaround for that behavior?
Kind regards,
Holger
The text was updated successfully, but these errors were encountered: