New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS vulnerability in NotFoundExceptionMapper #7248
Comments
|
Thanks for the report! Isn't |
|
@gastaldi would you have the cycles to check out this one? Make sure this thing is only available in dev mode. And also, we should probably deal with escaping better than we currently do. If you don't have the time, please say so. Thanks! |
|
Sure, I can have a look |
|
The NotFoundExceptionMapper is only enabled in dev-mode indeed. The 404 page that this issue refers to is the one handled by Resteasy containing the error. |
|
Remark: I am not even sure why a 404 is returned. It would be better to return EDIT: It's part of the spec: |
|
Using |
|
OK, thanks. |
|
Ticket created in https://issues.redhat.com/browse/RESTEASY-2519 |
Description
The no resource endpoint HTML page which is rendered on 404 errors introduces XSS vulnerability. Given as an example a GET endpoint which accepts a paging parameter in the form "start,offset" (i.e. 0,10). A request like:
/users?paging=0%2c-1sp137%3Cscript%3Ealert(1)%3C%2fscript%3Emzx4uwould lead to the following exception, and the 404 page in turn would execute the script (alert in our case).
RESTEASY003870: Unable to extract parameter from http request: javax.ws.rs.QueryParam("paging") value is '0,-1sp137<script>alert(1)</script>mzx4u'Implementation ideas
Enable the 404 HTML page only in DEV mode.
The text was updated successfully, but these errors were encountered: