Giters

rcrowley / go-tigertonic

A Go framework for building JSON web services inspired by Dropwizard

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Potential security issue (XSS in Accept header)

pich4ya opened this issue · comments

commented

The HTTP response returns unsanitized value from Accept header. This may allow the attacker to conduct cross-site scripting attack. Technically, the likelihood of exploiting this is very low. It requires the victim to use Internet Explorer with MIME sniffing feature enabled, on top of that, setting the these headers to the victim's request is not really possible from my knowledge. However, I believe it is worth sanitize user input here.

GET /xxx HTTP/1.1
Accept: xxx_<script>alert(/XSS/)</script>_yyy
Host: example.com
Connection: close

HTTP/1.1 406 Not Acceptable
Content-Type: text/plain
...

tigertonic.MarshalerError: Accept header "xxx_<script>alert(/XSS/)</script>_yyy" does not allow "application/json"

The underlying code is as follows:
https://github.com/rcrowley/go-tigertonic/blob/master/marshaler.go

	if !isReader && !acceptJSON(r) {
		ResponseErrorWriter.WritePlaintextError(w, NewHTTPEquivError(NewMarshalerError(
			"Accept header %q does not allow \"application/json\"",
			r.Header.Get("Accept"),
		), http.StatusNotAcceptable))
		return
	}