When crafting a request to an API using NelmioCors in Symfony, a reflected XSS vulnerability is introduced because of these lines in EventListener/CorsListener.php.
The 400 response is returned with the offensive header outputted in the response body without sanitizing the request header, causing script tags to be executed in the users browser.
How to reproduce?
Set up an API using the NelmioCors bundle
Craft a request using the request headers below (substitute path and host with your test API)
Verify that the response body contains <script>alert(1)</script>, and that the script is executed in the browser.
How to fix it?
You could simply escape the contents of $headers, but I would have a look at all $response->setContent() statements to check that they don't return anything from the request payload without sanitizing it.
What happened?
When crafting a request to an API using
NelmioCors
in Symfony, a reflected XSS vulnerability is introduced because of these lines inEventListener/CorsListener.php
.The
400
response is returned with the offensive header outputted in the response body without sanitizing the request header, causing script tags to be executed in the users browser.How to reproduce?
<script>alert(1)</script>
, and that the script is executed in the browser.How to fix it?
You could simply escape the contents of
$headers
, but I would have a look at all$response->setContent()
statements to check that they don't return anything from the request payload without sanitizing it.