Reqflected Cross site scripting issue

View profile · 05-05-2019

I have a Cross Site Scripting Reflected Issue , where I am intercepting the request through fiddler and injecting a script by modifying resourceType = value + some script which is getting executed in the browser once getting the response .Is there any way to handle ! .This is in the authoring instance where i don't have a dispatcher .can it be handled in the config.xml for xssprotection ?I am writing filter and checking each url to see any script tag .Is it the correct approach?

View profile · 05-05-2019

Do I understand you correctly, that you intercept a response sent from AEM to the browser and you inject some JS there? That would be a man-in-the-middle attack.

Actually, I don't think that this is a valid attack vector. You should use TLS to secure the connection and to detect any man-in-the-middle. Also I don't think that there as way to mitigate this attack, because any MITM can modify all content, and inject custom code everywhere. And there's no way to prevent that on the server-side. And using a TLS connection is the only way to prevent this attack.

View profile · 05-05-2019

I intercept the request through fiddle and inject something like" &resourceTypes=aemsite-project/components/page/><script>alert(document.coocke)</script>HTTp1.1 " in the get request . On response , this script is executed on the browser as reflected script .Thiis is in the author instance . I could not find any way to handle this through config.xml ( overlaying /libs/cq/xssprotection/config.xml )

View profile · 06-05-2019

ok, you intercepted that request? That seems really odd to me.

Please raise a ticket with Adobe support, because this needs to be addressed with them.

Thanks!

Jörg

Replies