misc Posted May 12, 2017 Share Posted May 12, 2017 The following URL is a proof of concept XSS payload. In this instance, an alert popup has been executed. This attack is possible as the URL entered by the user is copied into the "Access Denied" page and executed as a script: http://127.0.0.1:8077/cache/project1_exe/favicon.ico&%3Cimg%20src%3Da%20onerror%3Dalert(%22XSS-Attack%E2%80%9C)%3E Our fix or solution for this: We use the HTTPCommand Event in ServerModule. First of all we decode the Request URL with the TURLEncoder. With this we receive the clear text of the URL. Second we Encode the URL with the THTMLEncoder. After this we check if the original URL (in clear text) is different to the HTMLEncoded URL. If yes there are forbidden HTML Tags and we overwrite the Result and Cancel the Request. With this we are save to recognize all kind of HTML Tags in URL. uses UniGUIVars, System.NetEncoding; procedure TUniServerModule.UniGUIServerModuleHTTPCommand(ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo; var Handled: Boolean); const cResponseText = '<HTML>Forbidden characters in URI! Request cancled.</HTML>'; var vURI1, vURI2: String; vURLEncoder: System.NetEncoding.TURLEncoding; vHTMLEncoder: System.NetEncoding.THTMLEncoding; begin inherited; try vURLEncoder := System.NetEncoding.TURLEncoding.Create; vHTMLEncoder := System.NetEncoding.THTMLEncoding.Create; vURI1 := vURLEncoder.Decode(ARequestInfo.URI); vURI2 := vHTMLEncoder.Encode(vURI1); finally vURLEncoder.Free; vHTMLEncoder.Free; end; if vURI1 <> vURI2 then begin AResponseInfo.ContentText := cResponseText; Handled := True; end; end; Michael Link to comment Share on other sites More sharing options...
misc Posted May 12, 2017 Author Share Posted May 12, 2017 ps. If you want to test it in your own environment just add this to your URL: If you test it in your project: http://<YOUR-IP>:<YOUR-PORT>/cache/<YOUR-PROJECT-EXE-NAME>/favicon.ico&%3Cimg%20src%3Da%20onerror%3Dalert(%22XSS-Attack%E2%80%9C)%3E If you create and run a Project1 test application: http://127.0.0.1:8077/cache/project1_exe/favicon.ico&%3Cimg%20src%3Da%20onerror%3Dalert(%22XSS-Attack%E2%80%9C)%3E Link to comment Share on other sites More sharing options...
Harry Rogers Posted May 12, 2017 Share Posted May 12, 2017 This is interesting. However I'm not getting the same result with UniGui Ver 1.0.0.1381 Edge and IE both give "Access denied: favicon&" Chrome (ver 58.0.3029.110) also does not load the page and reports ERR_BLOCKED_BY_XSS_AUDITOR Link to comment Share on other sites More sharing options...
misc Posted May 13, 2017 Author Share Posted May 13, 2017 I am getting the result with UniGUI 1.0.0.1390 For sure uniGUI does not take care about this. It looks like that the internet browser and/or Firewall settings on the client is blocking it on your machine. But if it is possible from server side you open it fro hackers. Link to comment Share on other sites More sharing options...
IRWANTO82 Posted May 26, 2017 Share Posted May 26, 2017 what result xss from this http://demo.simple-landlord.com/ Link to comment Share on other sites More sharing options...
misc Posted May 27, 2017 Author Share Posted May 27, 2017 What question from you? ...sorry just kidding about your post but I really do not know what you are asking or if you are asking at all. Maybe you should try to write whole sentences and try to add some more content. Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now