search

nelmio / NelmioCorsBundle

Adds CORS (Cross-Origin Resource Sharing) headers support in your Symfony application
https://symfony.com/bundles/NelmioCorsBundle/
MIT License
1.89k stars 108 forks source link

Reflected XSS vulnerability #162

Closed fredrikstave closed 3 years ago

fredrikstave commented 3 years ago

What happened?

When crafting a request to an API using NelmioCors in Symfony, a reflected XSS vulnerability is introduced because of these lines in EventListener/CorsListener.php.

The 400 response is returned with the offensive header outputted in the response body without sanitizing the request header, causing script tags to be executed in the users browser.

How to reproduce?

  1. Set up an API using the NelmioCors bundle
  2. Craft a request using the request headers below (substitute path and host with your test API)
Request-Line: OPTIONS /path/to/page HTTP/1.1
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml; q=0.9,image/webp,*/*; q=0.8
Sec-Fetch-Dest: document
Sec-Fetch-User: ?1
Origin: https://example.com
Sec-Fetch-Mode: navigate
Accept-Encoding: gzip, deflate
Access-Control-Request-Method: GET
User-Agent: Mozilla/5.0 (compatible; Detectify) +https://detectify.com/bot/xxx
Access-Control-Request-Headers: <script>alert(1)</script>
Accept-Language: en-US
Sec-Fetch-Site: same-origin
Host: example.com
  1. Verify that the response body contains <script>alert(1)</script>, and that the script is executed in the browser.

How to fix it?

You could simply escape the contents of $headers, but I would have a look at all $response->setContent() statements to check that they don't return anything from the request payload without sanitizing it.