WebApp Sec mailing list archives
Re: Potential XSS errors when using information from HTTP requests
From: "Amit Klein (AKsecurity)" <aksecurity () hotpop com>
Date: Mon, 18 Oct 2004 08:16:00 +0200
Hi On 16 Oct 2004 at 14:27, V.Benjamin Livshits wrote:
I've been seeing a lot of redirects like the ones below in J2EE programs. 1. response.sendRedirect(request.getParameter("REFERRER"));
If you really mean that there is a parameter named REFERRER (and not the HTTP request header, which is, BTW, spelled "Referer" [sic!]), then this is a classic example for the security vulnerability called "HTTP Response Splitting" (see the paper "Divide and Conquer - HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics" by yours truly at: http://www.sanctuminc.com/pdf/WhitePaper_HTTPResponse.pdf). One of the consequences of this vulnerability is indeed the ability to run an XSS attack against IE in a redirection scenario, which is exactly what you have here (it's all in the paper). Note that without using HTTP Response Splitting, you stand a challenge in doing XSS for IE in a redirection scenario, because IE does not parse the 3xx response body - it follows the Location header and ignores the body.
2. response.sendRedirect(request.getRequestURI()); 3. response.sendRedirect(request.getServletPath() + toPath);
Again, if toPath uses user input (such as toPath=getParameter("toPath")), then this may be vulnerable to HTTP Response Splitting (see above).
Since the URL the user is being redirected to comes from the HTTP header, I was wondering if forging parts of the header may lead to a cross-site scripting exploit of some sort. Clearly, it would be dangerous to use this data as part of SQL statements. However, I have trouble imagining XSS exploit scenarios. Thanks, -Ben
Current thread:
- Potential XSS errors when using information from HTTP requests V.Benjamin Livshits (Oct 17)
- Re: Potential XSS errors when using information from HTTP requests Amit Klein (AKsecurity) (Oct 18)
- Re: Potential XSS errors when using information from HTTP requests Tibor Veres (Oct 18)
- Re: Potential XSS errors when using information from HTTP requests Paul Johnston (Oct 18)
- Re: Potential XSS errors when using information from HTTP requests Jeff Williams (Oct 18)
- <Possible follow-ups>
- RE: Potential XSS errors when using information from HTTP requests Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Oct 18)