jbrozenick / httpfox

Automatically exported from code.google.com/p/httpfox
GNU General Public License v2.0
0 stars 0 forks source link

XSS vulnerability in POST data pretty printing #85

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
POST data pretty printing allows execution of JavaScript code if the data 
wasn't recognized as XML. The attached testcase exemplifies the problem:

1. Upload the attached file to a webserver.
2. Open it while HttpFox is running, a POST request will be emitted.
3. Now click the POST request to open its info.

You will see an alert box saying "/XSS/" - JavaScript code was successfully 
injected and executed, thanks to the following code in showPostData function:

 // just raw...
 document.getElementById("hf_PostDataPretty").contentDocument.body.innerHTML = request.PostData;

Luckily, the code isn't executed with chrome privileges - saved by 
type="content" here. Simply replacing innerHTML by textContent fixes the issue.

Note that there are similar issues in the debug panel (which end-users should 
luckily never see). Looking at getDebugInfoContent(), HTML entities need to be 
encoded for all the dynamic data inserted into HTML. There are multiple places 
here where a malicious website could inject HTML code otherwise. Luckily, 
type="content" prevents the issue from escalating here as well.

Original issue reported on code.google.com by wladi...@palant.de on 27 Jul 2010 at 11:23

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by pappkame...@gmail.com on 26 Aug 2010 at 10:16

GoogleCodeExporter commented 9 years ago
post data display changed in version 0.8.8

Original comment by pappkame...@gmail.com on 30 Aug 2010 at 10:10