Highlighted

Reqflected Cross site scripting issue

Avatar

Avatar

pradeeps8875810

Avatar

pradeeps8875810

pradeeps8875810

05-05-2019

I have a Cross Site Scripting Reflected Issue , where I am intercepting the request through fiddler and injecting a script by modifying resourceType = value + some script which is getting executed in the browser once getting the response .Is there any way to handle ! .This is in the authoring instance where i don't have a dispatcher .can it be handled in the config.xml for xssprotection ?I am writing filter and checking each url to see any script tag .Is it the correct approach?

Replies

Highlighted

Avatar

Avatar

Jörg_Hoh

Employee

Total Posts

(val/1000)?string[".0"]}K

Likes

891

Correct Answer

(val/1000)?string[".0"]}K

Avatar

Jörg_Hoh

Employee

Total Posts

(val/1000)?string[".0"]}K

Likes

891

Correct Answer

(val/1000)?string[".0"]}K
Jörg_Hoh
Employee

05-05-2019

Do I understand you correctly, that you intercept a response sent from AEM to the browser and you inject some JS there? That would be a man-in-the-middle attack.

Actually, I don't think that this is a valid attack vector. You should use TLS to secure the connection and to detect any man-in-the-middle. Also I don't think that there as way to mitigate this attack, because any MITM can modify all content, and inject custom code everywhere. And there's no way to prevent that on the server-side. And using a TLS connection is the only way to prevent this attack.

Highlighted

Avatar

Avatar

pradeeps8875810

Avatar

pradeeps8875810

pradeeps8875810

05-05-2019

I intercept the request through fiddle and inject something like" &resourceTypes=aemsite-project/components/page/><script>alert(document.coocke)</script>HTTp1.1 " in the get request . On response , this script is executed on the browser as reflected script .Thiis is in the author instance . I could not find any way to handle this through config.xml  ( overlaying /libs/cq/xssprotection/config.xml )

Highlighted

Avatar

Avatar

Jörg_Hoh

Employee

Total Posts

(val/1000)?string[".0"]}K

Likes

891

Correct Answer

(val/1000)?string[".0"]}K

Avatar

Jörg_Hoh

Employee

Total Posts

(val/1000)?string[".0"]}K

Likes

891

Correct Answer

(val/1000)?string[".0"]}K
Jörg_Hoh
Employee

06-05-2019

ok, you intercepted that request? That seems really odd to me.

Please raise a ticket with Adobe support, because this needs to be addressed with them.

Thanks!

Jörg