Proxy One
2015-Aug-12 10:39 UTC
[CentOS] Apache mod_perl cross site scripting vulnerability
On 2015-Aug-11 19:57, Ellen Shull wrote:> On Tue, Aug 11, 2015 at 4:46 AM, Proxy One <proxy-one at mail.ru> wrote: > > > I haven't used <Location /perl-status> but Trustwave still finds me > > vulnerable. > > > [...] > > Response: HTTP/1.1 404 Not Found > > You clearly aren't serving perl-status; that's a red herring here.Indeed, I don't have mod_proxy installed.> [...] > > Body: contains '"><script>alert('xss')</script>' > > That's your problem; they're flagging you for an XSS "vulnerability". > I'm guessing you have a custom 404 page that naively echoes the entire > request URL as part of the page? You need to be using > htmlspecialchars() or HTML::Entities or whatever your > language/environment has to escape strings for safe inclusion in HTML > content.There is PHP generated 404 page. I'll check that with web developer. What's strange, I'm trying to reproduce this and I don't see that string. Trustwave support suggested I use Burp Suite and it's repeater tool. I find some windows machine, installed it and all I see inside body is "Unable to resolve the request "perl-status/APR::SockAddr::port". Is there way to use curl for testing? I'm getting new line because of the single quote inside string and escaping it with back slash gives me bash: syntax error near unexpected token `<'> There is of course more to it than that (sigh), try for starters: > https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_SheetVery nice reading, thanks!
Ellen Shull
2015-Aug-12 12:17 UTC
[CentOS] Apache mod_perl cross site scripting vulnerability
On Wed, Aug 12, 2015 at 3:39 AM, Proxy One <proxy-one at mail.ru> wrote:> Is there way to use curl for testing? I'm getting new line because of > the single quote inside string and escaping it with back slash gives me > bash: syntax error near unexpected token `<'You can use curl's -K option which lets you stick arguments in a file, helpful for getting around shell quoting nightmares. For example make a file named test-url-file which contains the line url = http://www.mydomain.com/[bad stuff, don't want this message tripping over some filter for containing a malicious-looking URL] then do curl -g -K test-url-file Note that just gets you around shell interpretation; curl does some of its own as well. the -g switch I used there disables its interpretation of {}[] as special globbing characters. If you put the url in double quotes then not only do you have to escape any double quotes in the string, it also starts interpreting backslash sequences so you have to double all backslashes--so oddly it's best to just leave quotes off. --ln
On 2015-Aug-12 05:17, Ellen Shull wrote:> On Wed, Aug 12, 2015 at 3:39 AM, Proxy One <proxy-one at mail.ru> wrote: > > Is there way to use curl for testing? I'm getting new line because of > > the single quote inside string and escaping it with back slash gives me > > bash: syntax error near unexpected token `<' > > You can use curl's -K option which lets you stick arguments in a file, > helpful for getting around shell quoting nightmares. For example make > a file named test-url-file which contains the line > url = http://www.mydomain.com/[bad stuff, don't want this message > tripping over some filter for containing a malicious-looking URL] > > then do curl -g -K test-url-file > > Note that just gets you around shell interpretation; curl does some of > its own as well. the -g switch I used there disables its > interpretation of {}[] as special globbing characters. If you put the > url in double quotes then not only do you have to escape any double > quotes in the string, it also starts interpreting backslash sequences > so you have to double all backslashes--so oddly it's best to just > leave quotes off.Thanks, it works! I was able to reproduce problem and was able to see how my changes affected response from the server.