Are XSS vunrabilities found on pages that are application/json false positives.

Luke Butters's Avatar

Luke Butters

07 Nov, 2017 06:31 AM


I am trying to understand why Arachni marks application/json patches that reflect user data as a severity risk of high.

The json endpoint has the following properties:
* that reflects user data as correctly formated json. * the path to the resource can not be changed. * the content-type is application/json

So far I have not been able to find an example where someone has been able to use that end point for XSS.

I am aware that if you made a web page that accepted user data and forwards that to the JSON endpoint and then uses the resulting json to write to the DOM then it would be possible. However that is a failure of the page using the JSON endpoint rather than the JSON endpoint.

Further I could probably trick Arachni by having json return \uXXXX chars but in the case that a web pages fetches json from the JSON endpoint interprets the json (thus converting \uXXXX back into chars) and then writing that json into the dom, the XSS is still possible.

Is arachni marking a false positive?

  1. Support Staff 1 Posted by Tasos Laskos on 09 Nov, 2017 06:16 AM

    Tasos Laskos's Avatar


    It does sound like an FP although I think I've already fixed it in the experimental branch, could you please retry using the nightlies?


  2. 2 Posted by Luke Butters on 10 Nov, 2017 03:47 AM

    Luke Butters's Avatar


    Thanks for the reply.

    Keep in mind that if the path ends with .html (or can end with .html) then some versions of IE will go oh its a html page and try to interpret the json has html.


  3. Tasos Laskos closed this discussion on 04 May, 2018 09:19 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac