Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-8672

CXF /services page causing vulnerable to a reflected Cross-Site Scripting (XSS) attack in latest and Older CXF version

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Blocker
    • Resolution: Cannot Reproduce
    • 3.4.5, 3.5.1
    • None
    • JAX-RS Security
    • None
    • Java -11

      Windows

    • Unknown

    Description

      we're creating a JAX-WS endpoint based on our implementation class. We have attached our web.xml file and our beans.xml file where we are exposing our services param.

      we found out that while listing our services endpoint using CXF servlet we are facing security issues.

      Actually we have a URL:-

       URL http://localhost:8080/app/services/"><script>alert(document.domain)</script>sz2q2 and the XSS vulnerability is working fine in this. It is giving error when we add <script> tag in URL which contains domains name or cookie and it should be work in this way.

      But as soon as we enter "/services" at last place in URL(see below)

      URL http:// localhost:8080/app /services/"><script>alert(document.domain)</script>sz2q2/services

      it will list down wadl services which are exposed. In this case it should throw error. "/services" is handled by CXF servlet in web.xml. We looked into CXF sites and found that it is known bug in CXF library which was not fixed in latest cxf version too e.g. 3.5.1.

      This URL is OK http:// localhost:8080/app /services > giver wadl
      This URL is OK-http:// localhost:8080/app /services/"><script>alert(document.domain)</script>sz2q2 -> gives error as "No services found" handling <script> tag as XSS protection.

      But this URL is not OK and it should be fixed by CXF library - http:// localhost:8080/app /services/"><script>alert(document.domain)</script>sz2q2/services ->gives wadl

      Attachments

        1. image-2022-03-09-17-56-45-811.png
          49 kB
          chandra
        2. image-2022-03-10-12-13-36-176.png
          19 kB
          chandra
        3. Screenshot 2022-03-09 at 12.49.05.png
          69 kB
          Colm O hEigeartaigh
        4. web.xml
          1 kB
          chandra

        Activity

          People

            Unassigned Unassigned
            Chandra.Jhala chandra
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: