search

amberframework / amber

A Crystal web framework that makes building applications fast, simple, and enjoyable. Get started with quick prototyping, less bugs, and blazing fast performance.
https://amberframework.org
MIT License
2.58k stars 206 forks source link

Cross Site Scripting Vulnerability #1267

Open CarlosAndresRamirez opened 3 years ago

CarlosAndresRamirez commented 3 years ago

Description

XSS vulnerability exists in the default error response when running AMBER in DEV environment.

Steps to Reproduce

When running amber in the default DEV environment, the application is vulnerable to XSS. It is quite hard to notice because most browsers might be mitigating/filtering the issue. So you cannot really see it in the browser.

I replicated it sniffing the traffic (wireshark) and just running a plaintext request from the command line. Also, it can be seen in burp suite, but once you load the request to browser, it will fix the html code.

How to replicate: Just run a regular app in dev environment (in this case, port 3000)

From command line: nc localhost 3000

Then paste the following request:

GET /

HELLO

HTTP/1.0 Host: localhost:3000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Accept: text/html

NOTE: Looks like the request format is changed when displayed here in github - see attached screenshot for the original request.

You will see the response has multiple - non-escaped code (reflected xss) like this: ...

Error 404 at GET /

HELLO

- The request was not found. GET - /

HELLO

As I said, it cannot be seen from browser - some dynamic escaping occurs. Risk is low, but I guess it is worth checking - vulnerable code might be present in other parts of the framework.

Expected behavior: [What you expect to happen] HTML input should be escaped.

Actual behavior: [What actually happens]

Reproduces how often: [What percentage of the time does it reproduce?] All the time

Versions

Amber CLI (amberframework.org) - v1.0.0rc2

Additional Information

amber-xss

robacarp commented 3 years ago

Does this also exist when the app is not running in development mode?

CarlosAndresRamirez commented 3 years ago

Turns out that the XSS vulnerability is in the "template" used to display errors when in development mode. As this is not enabled in production, it cannot be triggered.

However, I think the real problem is that Amber by default is not escaping input. Shouldn't it escape input parameters by default, just as rails and all other frameworks?