misc Posted May 12, 2017 Posted May 12, 2017 The following URL is a proof of concept XSS payload. In this instance, an alert popup has been executed. This attack is possible as the URL entered by the user is copied into the "Access Denied" page and executed as a script: http://127.0.0.1:8077/cache/project1_exe/favicon.ico&%3Cimg%20src%3Da%20onerror%3Dalert(%22XSS-Attack%E2%80%9C)%3E Our fix or solution for this: We use the HTTPCommand Event in ServerModule. First of all we decode the Request URL with the TURLEncoder. With this we receive the clear text of the URL. Second we Encode the URL with the THTMLEncoder. After this we check if the original URL (in clear text) is different to the HTMLEncoded URL. If yes there are forbidden HTML Tags and we overwrite the Result and Cancel the Request. With this we are save to recognize all kind of HTML Tags in URL. uses UniGUIVars, System.NetEncoding; procedure TUniServerModule.UniGUIServerModuleHTTPCommand(ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo; var Handled: Boolean); const cResponseText = '<HTML>Forbidden characters in URI! Request cancled.</HTML>'; var vURI1, vURI2: String; vURLEncoder: System.NetEncoding.TURLEncoding; vHTMLEncoder: System.NetEncoding.THTMLEncoding; begin inherited; try vURLEncoder := System.NetEncoding.TURLEncoding.Create; vHTMLEncoder := System.NetEncoding.THTMLEncoding.Create; vURI1 := vURLEncoder.Decode(ARequestInfo.URI); vURI2 := vHTMLEncoder.Encode(vURI1); finally vURLEncoder.Free; vHTMLEncoder.Free; end; if vURI1 <> vURI2 then begin AResponseInfo.ContentText := cResponseText; Handled := True; end; end; Michael Quote
misc Posted May 12, 2017 Author Posted May 12, 2017 ps. If you want to test it in your own environment just add this to your URL: If you test it in your project: http://<YOUR-IP>:<YOUR-PORT>/cache/<YOUR-PROJECT-EXE-NAME>/favicon.ico&%3Cimg%20src%3Da%20onerror%3Dalert(%22XSS-Attack%E2%80%9C)%3E If you create and run a Project1 test application: http://127.0.0.1:8077/cache/project1_exe/favicon.ico&%3Cimg%20src%3Da%20onerror%3Dalert(%22XSS-Attack%E2%80%9C)%3E Quote
Harry Rogers Posted May 12, 2017 Posted May 12, 2017 This is interesting. However I'm not getting the same result with UniGui Ver 1.0.0.1381 Edge and IE both give "Access denied: favicon&" Chrome (ver 58.0.3029.110) also does not load the page and reports ERR_BLOCKED_BY_XSS_AUDITOR Quote
misc Posted May 13, 2017 Author Posted May 13, 2017 I am getting the result with UniGUI 1.0.0.1390 For sure uniGUI does not take care about this. It looks like that the internet browser and/or Firewall settings on the client is blocking it on your machine. But if it is possible from server side you open it fro hackers. Quote
IRWANTO82 Posted May 26, 2017 Posted May 26, 2017 what result xss from this http://demo.simple-landlord.com/ Quote
misc Posted May 27, 2017 Author Posted May 27, 2017 What question from you? ...sorry just kidding about your post but I really do not know what you are asking or if you are asking at all. Maybe you should try to write whole sentences and try to add some more content. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.