Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

Reqflected Cross site scripting issue

pradeeps8875810
Level 2
Level 2

I have a Cross Site Scripting Reflected Issue , where I am intercepting the request through fiddler and injecting a script by modifying resourceType = value + some script which is getting executed in the browser once getting the response .Is there any way to handle ! .This is in the authoring instance where i don't have a dispatcher .can it be handled in the config.xml for xssprotection ?I am writing filter and checking each url to see any script tag .Is it the correct approach?

0 Replies
Jörg_Hoh
Employee
Employee

Do I understand you correctly, that you intercept a response sent from AEM to the browser and you inject some JS there? That would be a man-in-the-middle attack.

Actually, I don't think that this is a valid attack vector. You should use TLS to secure the connection and to detect any man-in-the-middle. Also I don't think that there as way to mitigate this attack, because any MITM can modify all content, and inject custom code everywhere. And there's no way to prevent that on the server-side. And using a TLS connection is the only way to prevent this attack.

pradeeps8875810
Level 2
Level 2

I intercept the request through fiddle and inject something like" &resourceTypes=aemsite-project/components/page/><script>alert(document.coocke)</script>HTTp1.1 " in the get request . On response , this script is executed on the browser as reflected script .Thiis is in the author instance . I could not find any way to handle this through config.xml  ( overlaying /libs/cq/xssprotection/config.xml )

Jörg_Hoh
Employee
Employee

ok, you intercepted that request? That seems really odd to me.

Please raise a ticket with Adobe support, because this needs to be addressed with them.

Thanks!

Jörg