Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reflected XSS via `back` parameter #1

Closed
vavkamil opened this issue Aug 16, 2019 · 5 comments

Comments

@vavkamil
Copy link

commented Aug 16, 2019

Hi, there is a reflected Cross-Site Scripting vulnerability via back parameter.
XSS payload is executed after clicking on the « Zpět button, example:
https://socialnisystem.pirati.cz/davky/8-odmena-pestouna/?back=javascript:alert(1)

Relevant code:

data['back_link'] = self.request.GET['back']

I will suggest using something like Bleach:
https://bleach.readthedocs.io/en/latest/
to prevent such issues in the future :)

@xaralis

This comment has been minimized.

Copy link
Collaborator

commented Aug 16, 2019

Thanks for pointing out, I will fix this ASAP.

@xaralis

This comment has been minimized.

Copy link
Collaborator

commented Aug 16, 2019

@vavkamil
I've added some additional checks in 1bd25d9 which I hope are sufficient, i.e. we only allow relative URLs to be passed in ?back. Can you please have a look?

@vavkamil

This comment has been minimized.

Copy link
Author

commented Aug 16, 2019

Hey, it was a very minor issue, so thanks for the very quick response! Checking for the empty scheme is efficient in case of XSS here, but it still allows open redirect:

from urllib.parse import urlparse

url = '//google.com'
parsed = urlparse(url)
print(parsed)

# ParseResult(scheme='', netloc='google.com', path='', params='', query='', fragment='')

So something like this will still work:
https://socialnisystem.pirati.cz/davky/8-odmena-pestouna/?back=//google.com
https://socialnisystem.pirati.cz/davky/8-odmena-pestouna/?back=\\google.com

But at this point I think that it's not worth the effort to fix it.

@xaralis

This comment has been minimized.

Copy link
Collaborator

commented Aug 16, 2019

OK, I'll add check that netloc is empty, too :) This should fix it completely. I will release that ASAP.

@xaralis

This comment has been minimized.

Copy link
Collaborator

commented Aug 16, 2019

Fixed in fa84364.

@xaralis xaralis closed this Aug 16, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.