301/302 XSS vulnerability

classic Classic list List threaded Threaded
2 messages Options
xrd
Reply | Threaded
Open this post in threaded view
|

301/302 XSS vulnerability

xrd
Hello,

We detected XSS vulnerability when we use 301 or 302 redirections.

How to reproduce?
 
curl -I -k "http://example.com/test'""'>><svg/onload=alert\`ayman\`>" >
ayman.html

open ayman.html and you will get the popup!

I tried the below redirections and it's valid on all cases:

 - return 301 https://www.exampl.com$request_uri;
 
 - rewrite ^/(.*) https://www.example.com/$1 permanent;

Nginx version: 1.14.2

Is there a fix/workaround for this?

Thanks

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,286600,286600#msg-286600

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: 301/302 XSS vulnerability

Maxim Dounin
Hello!

On Thu, Dec 26, 2019 at 12:57:49PM -0500, ayman wrote:

> We detected XSS vulnerability when we use 301 or 302 redirections.
>
> How to reproduce?
>  
> curl -I -k "http://example.com/test'""'>><svg/onload=alert\`ayman\`>" >
> ayman.html
>
> open ayman.html and you will get the popup!

You are saving response headers, not the response itself.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx