Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reflected XSS via back parameter #1

Closed
vavkamil opened this issue Aug 16, 2019 · 5 comments
Closed

Reflected XSS via back parameter #1

vavkamil opened this issue Aug 16, 2019 · 5 comments

Comments

@vavkamil
Copy link

@vavkamil vavkamil commented Aug 16, 2019

Hi, there is a reflected Cross-Site Scripting vulnerability via back parameter.
XSS payload is executed after clicking on the « Zpět button, example:
https://socialnisystem.pirati.cz/davky/8-odmena-pestouna/?back=javascript:alert(1)

Relevant code:

data['back_link'] = self.request.GET['back']

I will suggest using something like Bleach:
https://bleach.readthedocs.io/en/latest/
to prevent such issues in the future :)

@xaralis
Copy link
Collaborator

@xaralis xaralis commented Aug 16, 2019

Thanks for pointing out, I will fix this ASAP.

Loading

@xaralis
Copy link
Collaborator

@xaralis xaralis commented Aug 16, 2019

@vavkamil
I've added some additional checks in 1bd25d9 which I hope are sufficient, i.e. we only allow relative URLs to be passed in ?back. Can you please have a look?

Loading

@vavkamil
Copy link
Author

@vavkamil vavkamil commented Aug 16, 2019

Hey, it was a very minor issue, so thanks for the very quick response! Checking for the empty scheme is efficient in case of XSS here, but it still allows open redirect:

from urllib.parse import urlparse

url = '//google.com'
parsed = urlparse(url)
print(parsed)

# ParseResult(scheme='', netloc='google.com', path='', params='', query='', fragment='')

So something like this will still work:
https://socialnisystem.pirati.cz/davky/8-odmena-pestouna/?back=//google.com
https://socialnisystem.pirati.cz/davky/8-odmena-pestouna/?back=\\google.com

But at this point I think that it's not worth the effort to fix it.

Loading

@xaralis
Copy link
Collaborator

@xaralis xaralis commented Aug 16, 2019

OK, I'll add check that netloc is empty, too :) This should fix it completely. I will release that ASAP.

Loading

@xaralis
Copy link
Collaborator

@xaralis xaralis commented Aug 16, 2019

Fixed in fa84364.

Loading

@xaralis xaralis closed this Aug 16, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants