🐛 Bug Fix : express vulnerable to XSS via response.redirect()

Open kreeksec opened this issue 1 year ago • 0 comments

In express <4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code


it('should not render evil javascript links in anchor href (prevent XSS)', function(done){
      var app = express();
      var xss = 'javascript:eval(document.body.innerHTML=`<p>XSS</p>`);';
      var encodedXss = 'javascript:eval(document.body.innerHTML=%60%3Cp%3EXSS%3C/p%3E%60);';
      app.use(function(req, res){
        res.redirect(xss);
      });
      request(app)
      .get('/')
      .set('Host', 'http://example.com')
      .set('Accept', 'text/html')
      .expect('Content-Type', /html/)
      .expect('Location', encodedXss)
      .expect(302, '<p>Found. Redirecting to ' + encodedXss +'</p>', done);
    });

Oct 25 '24 17:10 kreeksec