Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    XSS in SmartClient error message

    SmartClient Version: v12.1p_2022-12-31/LGPL Development Only (built 2022-12-31)
    Browser: Chrome


    Hi,

    I received a report from a recent pentest. They were able to execute an XSS attack against our site.

    Here's the URL the testers were able to inject. Note that the call to example.com was blocked, but the error handler was invoked after being displayed in the error message.
    Code:
    https://www.example.com/?<img src=x onerror=alert(1)>
    The screenshot below shows that the error message isn't being HTML Encoded. We already have a fix on our side, but I thought I'd bring it to Isomorphic's attention.

    Click image for larger version

Name:	Screenshot 2024-10-22 at 1.31.28 PM.png
Views:	34
Size:	33.0 KB
ID:	273952

    Thanks!

    #2
    This not a SmartClient XSS exploit, this is an application-specific XSS error.

    Specifically, that is a client-side error message, not coming from the server. So it requires first that you have somehow allowed some untrusted users to store unsanitized URLs that are automatically used in attempted fetches by other users.

    That’s the error - sharing unsanitized URL between users - not the fact that as a distant consequence, SmartClient’s error handling will display the unsanitized URL.

    Comment


      #3
      Hi, and thanks for the response!

      I think you are spot on with your assessment. Our fix was to sanitize the URLs. I just thought you might want to HTML encode any error messages before displaying.

      Thanks!

      Comment

      Working...
      X