"JSON response with no apparent XSSI protection" - why this classification?

[GoogleCodeExporter]

Why is the following being classified as a JSON/XSSI issue?

=== REQUEST ===

GET /auth/signin?cont_url=-->">'>'"<sfi000032v524891>&email= HTTP/1.1
Host: x.x.x.x:4000
Accept-Encoding: gzip
Connection: keep-alive
User-Agent: Mozilla/5.0 SF/1.69b
Range: bytes=0-199999
Referer: -->">'>'"<sfi000032v524891>
Cookie: ...

=== RESPONSE ===

HTTP/1.1 302 Found
Server: nginx/0.8.52
Date: Thu, 21 Oct 2010 21:36:57 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Location: https://x.x.x.x:4000/auth/-->">'>'"<sfi000032v524891>
Content-Length: 125
Set-Cookie: ...

302 Found

The resource was found at '>'"">https://x.x.x.x:4000/auth/">'>'"; you should be 
redirected automatically.  

Original issue reported on code.google.com by yaa...@gmail.com on 23 Oct 2010 at 12:26

[GoogleCodeExporter]

This is probably a glitch. Will investigate.

Original comment by lcam...@gmail.com on 23 Oct 2010 at 12:47

• Changed state: Accepted

[GoogleCodeExporter]

Okay, so I am a bit struggling to understand how this response was actually 
generated. Can you help me out? What's the underlying code? Where did the >'""> 
bit come from? What's with the closing ">'>'? This is not something that 
skipfish injects (although it seems vaguely close).

The response does look a bit like JavaScript, so I can see why it's being 
detected this way; I can fine-tune the algorithm, but it would be good to know 
how this syntax came to be in the first place.

Original comment by lcam...@gmail.com on 26 Oct 2010 at 8:40

[GoogleCodeExporter]

Sure thing. After some time I've managed to boil it down to the following 
simplified test case. The problem stems just from the Pylons 1.0 built-in 
redirector. After installing Pylons:

paster create -t pylons # call it 'hello' and accept defaults
cd hello/
sed -i s/5000/5001/ development.ini
paster controller redir
cat > hello/controllers/redir.py << EOF
import logging
from pylons import request, response, session, tmpl_context as c, url
from pylons.controllers.util import abort, redirect
from hello.lib.base import BaseController, render
log = logging.getLogger(__name__)
class RedirController(BaseController):
    def index(self):
        # Return a rendered template
        #return render('/redir.mako')
        # or, return a string
        redirect(request.params.getone('url'))
EOF
paster serve development.ini

$ nc -q1 localhost 5001 << EOF
> GET /redir/index?url=-->">'>'"<sfi000032v524891>&email= HTTP/1.1
> Host: x.x.x.x:4000
> Accept-Encoding: gzip
> Connection: keep-alive
> User-Agent: Mozilla/5.0 SF/1.69b
> Range: bytes=0-199999
> Referer: -->">'>'"<sfi000032v524891>
> Cookie: ...
> 
> EOF
HTTP/1.0 302 Found
Server: PasteWSGIServer/0.5 Python/2.6.5
Date: Tue, 26 Oct 2010 23:32:45 GMT
Content-Type: text/html; charset=UTF-8
Pragma: no-cache
Cache-Control: no-cache
Location: http://x.x.x.x:4000/redir/-->">'>'"<sfi000032v524891>
Content-Length: 118

302 Found

The resource was found at '>'"">http://x.x.x.x:4000/redir/">'>'"; you should be 
redirected automatically.

Original comment by yaa...@gmail.com on 26 Oct 2010 at 11:34

[GoogleCodeExporter]

I'm sort of out of ideas how to fix this in a generic manner, partly because I 
genuinely don't understand how the framework arrived at that response (note 
that it has very little to do with the injected strings, or any transformation 
thereof - ->">'>'"<sfi...> versus '>'"">).

I will keep thinking about it, but honestly, I'm at loss. I wonder if it makes 
more sense to report this to framework authors instead?

Original comment by lcam...@gmail.com on 23 Nov 2010 at 6:43

• Changed state: WontFix

[GoogleCodeExporter]

I did report it there, but I also reported it here in case you thought it was a 
problem. I agree it's pretty bizarre.

Original comment by yaa...@gmail.com on 23 Nov 2010 at 7:04