Jump to content

XSS issue in access denied page over URL script


misc

Recommended Posts

The following URL is a proof of concept XSS payload. In this instance, an alert popup has been executed. This attack is possible as the URL entered by the user is copied into the "Access Denied" page and executed as a script:

 

http://127.0.0.1:8077/cache/project1_exe/favicon.ico&%3Cimg%20src%3Da%20onerror%3Dalert(%22XSS-Attack%E2%80%9C)%3E

 

Our fix or solution for this:

 

We use the HTTPCommand Event in ServerModule. First of all we decode the Request URL with the TURLEncoder. With this we receive the clear text of the URL. Second we Encode the URL with the THTMLEncoder. After this we check if the original URL (in clear text) is different to the HTMLEncoded URL. If yes there are forbidden HTML Tags and we overwrite the Result and Cancel the Request. With this we are save to recognize all kind of HTML Tags in URL.

uses
  UniGUIVars, System.NetEncoding;

procedure TUniServerModule.UniGUIServerModuleHTTPCommand(ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo; var Handled: Boolean);
const
  cResponseText = '<HTML>Forbidden characters in URI! Request cancled.</HTML>';
var
  vURI1, vURI2: String;
  vURLEncoder: System.NetEncoding.TURLEncoding;
  vHTMLEncoder: System.NetEncoding.THTMLEncoding;
begin
  inherited;
  try
    vURLEncoder := System.NetEncoding.TURLEncoding.Create;
    vHTMLEncoder := System.NetEncoding.THTMLEncoding.Create;

    vURI1 := vURLEncoder.Decode(ARequestInfo.URI);
    vURI2 := vHTMLEncoder.Encode(vURI1);
  finally
    vURLEncoder.Free;
    vHTMLEncoder.Free;
  end;

  if vURI1 <> vURI2 then
    begin
      AResponseInfo.ContentText := cResponseText;
      Handled := True;
    end;
end;

Michael

post-1257-0-58544600-1494584199_thumb.png

Link to comment
Share on other sites

ps. If you want to test it in your own environment just add this to your URL:

If you test it in your project:

http://<YOUR-IP>:<YOUR-PORT>/cache/<YOUR-PROJECT-EXE-NAME>/favicon.ico&%3Cimg%20src%3Da%20onerror%3Dalert(%22XSS-Attack%E2%80%9C)%3E

If you create and run a Project1 test application:

http://127.0.0.1:8077/cache/project1_exe/favicon.ico&%3Cimg%20src%3Da%20onerror%3Dalert(%22XSS-Attack%E2%80%9C)%3E
Link to comment
Share on other sites

I am getting the result with UniGUI 1.0.0.1390

 

For sure uniGUI does not take care about this. It looks like that the internet browser and/or Firewall settings on the client is blocking it on your machine.

 

But if it is possible from server side you open it fro hackers.

Link to comment
Share on other sites

  • 2 weeks later...

What question from you? ...sorry just kidding about your post but I really do not know what you are asking or if you are asking at all. Maybe you should try to write whole sentences and try to add some more content.

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×
×
  • Create New...