Are XSS vunrabilities found on pages that are application/json false positives.
Hi
I am trying to understand why Arachni marks application/json patches that reflect user data as a severity risk of high.
The json endpoint has the following properties:
* that reflects user data as correctly formated json. * the path to the resource can not be changed. * the content-type is application/json
So far I have not been able to find an example where someone has been able to use that end point for XSS.
I am aware that if you made a web page that accepted user data and forwards that to the JSON endpoint and then uses the resulting json to write to the DOM then it would be possible. However that is a failure of the page using the JSON endpoint rather than the JSON endpoint.
Further I could probably trick Arachni by having json return \uXXXX chars but in the case that a web pages fetches json from the JSON endpoint interprets the json (thus converting \uXXXX back into chars) and then writing that json into the dom, the XSS is still possible.
Is arachni marking a false positive?
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
Support Staff 1 Posted by Tasos Laskos on 09 Nov, 2017 06:16 AM
Hello,
It does sound like an FP although I think I've already fixed it in the experimental branch, could you please retry using the nightlies?
Cheers
2 Posted by Luke Butters on 10 Nov, 2017 03:47 AM
Hi,
Thanks for the reply.
Keep in mind that if the path ends with .html (or can end with .html) then some versions of IE will go oh its a html page and try to interpret the json has html.
-Luke
Tasos Laskos closed this discussion on 04 May, 2018 09:19 AM.