Need to fix: XSS vulnerability for invalid origin

Create issue
Issue #29 resolved
Vy Luong created an issue

The origin is validated, but the value is passed without modification to CORSOriginDeniedException(); the exception message returned to the client reflects the origin that was in the request header.

If the request headers are tampered and the origin is injected with javascript, vbscript, etc., this is an exploitable (reflected) XSS attack. While the message is specified with content-type "text/plain," Internet Explorer has MIME sniffing which may change the content-type.

Potential fixes: 1. strip the origin free of invalid characters 2. do not include the origin in the message

Comments (4)

  1. Vladimir Dzhuvinov

    Thanks for describing this in detail. From reading the mail it wasn't immediately obvious to me that the problem is in the returned error message.

  2. Log in to comment