...and observed going into the HTTP response below, without validation or encoding:
You searched for <script>alert("a");</script>
What's the risk?
Cross-Site Scripting (XSS) enables attackers to inject client-side script into trusted Web pages viewed by other users. They can use this malicious script to force users to silently perform actions that benefit the attacker, like sending them their account or session credentials. Any view code that takes data controlled by a user and puts it on the page without validation or encoding is likely to be vulnerable to this attack.
Recommendation
If you are using Rails, avoid the use of html_safe and raw for any calls that render user input. For Sinatra, avoid the use of body for any calls that render user input. If this absolutely must be done, consider using Rack::Utils.escape_html to encode the input.
Vulnerability ID: 3CKB-0YMG-CEQK-P0VA
Application Name: AgentMessageGeneratorRuby
Vulnerability Link: http://localhost:19080/Contrast/static/ng/index.html#/7c6cfec5-a187-4d5e-984a-d11d96d2ef63/applications/7b7c6b72-2652-4e2d-9b52-ada4357bd80a/vulns/3CKB-0YMG-CEQK-P0VA
What Happened?
We tracked the following data from Header Value:
POST /pages/search ... Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9,es-419;q=0.8,es;q=0.7,fr;q=0.6 Cache-Control: max-age=0 Connection: keep-alive Cookie: _godzillaSession=c79624cdf624d680c9297fa8b9395560; Rubymine-227b963d=c6db1531-5ef3-47e3-a3ea-a7b1e168e146; __profilin=p%3Dt; _railsgoat_session=RTA1NjNLOWhQNkVFelZMcUdZREdGZEhDQ0JwUHFCTUxrOURvcmZzZVEvd3ptQUt6Z0ZxZjlqdGNqR1NnSy9DelFZcXJESGp5dnpUcnBtVWwwMkV2aGFYa3VIazQvY3B2MWxVeW9RMkRlc1ZEcUVFeHV2L0VkNUc2dVljMTlWMmtLQkVZVVk2cEJ3RmRlZEhPaVl6T3gxT0VwSTRhRm85bWt1d0p0SE9ZVVhUTnRpZ3lvRHNmVzdtb3k5TFRDLzhxRTVlejQvS3BBVGMyR0VIVlpVYnhCUThYNXFQTHl0TWt2dHVFUzNLYThENUNXbGd5SVhUR29FSjFKZVFBZ1hMQi0tSkJHeGRZL3J6c2ZJZmpmaC9XNGhZZz09--f26a37df09baa30c849c775eb85027206f0ec16d Host: localhost:3000 Origin: http://localhost:3000 Referer: http://localhost:3000/pages/search?utf8=%E2%9C%93&q= Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Version: HTTP/1.1
utf8=%E2%9C%93&q=%3Cscript%3Ealert%28%22a%22%29%3B%3C%2Fscript%3E&commit=Search
...which was accessed within the following code:
Application.html.erb#html_safe(), line 65
...and observed going into the HTTP response below, without validation or encoding:
You searched for <script>alert("a");</script>
What's the risk?
Cross-Site Scripting (XSS) enables attackers to inject client-side script into trusted Web pages viewed by other users. They can use this malicious script to force users to silently perform actions that benefit the attacker, like sending them their account or session credentials. Any view code that takes data controlled by a user and puts it on the page without validation or encoding is likely to be vulnerable to this attack.
Recommendation
If you are using Rails, avoid the use of html_safe and raw for any calls that render user input. For Sinatra, avoid the use of body for any calls that render user input. If this absolutely must be done, consider using Rack::Utils.escape_html to encode the input.
First Event
Last Event
HTTP Request
POST http://localhost:3000/pages/search HTTP/1.1 ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3 ACCEPT-ENCODING: gzip, deflate, br ACCEPT-LANGUAGE: en-US,en;q=0.9,es-419;q=0.8,es;q=0.7,fr;q=0.6 CACHE-CONTROL: max-age=0 CONNECTION: keep-alive COOKIE: _godzillaSession=c79624cdf624d680c9297fa8b9395560; Rubymine-227b963d=c6db1531-5ef3-47e3-a3ea-a7b1e168e146; __profilin=p%3Dt; _railsgoat_session=RTA1NjNLOWhQNkVFelZMcUdZREdGZEhDQ0JwUHFCTUxrOURvcmZzZVEvd3ptQUt6Z0ZxZjlqdGNqR1NnSy9DelFZcXJESGp5dnpUcnBtVWwwMkV2aGFYa3VIazQvY3B2MWxVeW9RMkRlc1ZEcUVFeHV2L0VkNUc2dVljMTlWMmtLQkVZVVk2cEJ3RmRlZEhPaVl6T3gxT0VwSTRhRm85bWt1d0p0SE9ZVVhUTnRpZ3lvRHNmVzdtb3k5TFRDLzhxRTVlejQvS3BBVGMyR0VIVlpVYnhCUThYNXFQTHl0TWt2dHVFUzNLYThENUNXbGd5SVhUR29FSjFKZVFBZ1hMQi0tSkJHeGRZL3J6c2ZJZmpmaC9XNGhZZz09--f26a37df09baa30c849c775eb85027206f0ec16d HOST: localhost:3000 ORIGIN: http://localhost:3000 REFERER: http://localhost:3000/pages/search?utf8=%E2%9C%93&q= UPGRADE-INSECURE-REQUESTS: 1 USER-AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 VERSION: HTTP/1.1
commit=Search&q=%3Cscript%3Ealert%28%22a%22%29%3B%3C%2Fscript%3E&utf8=%E2%9C%93
References
https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)