httpbin icon indicating copy to clipboard operation
httpbin copied to clipboard

Published 20 hours ago verified publisher icon postmanlabs

Cross-site Scripting (XSS) - Reflected

Open danbf opened this issue 3 years ago • 1 comments

Hey,

We've found a Cross-site Scripting (XSS) - Reflected at https://httpbin.org

POC navigate to URL :

https://httpbin.org/base64/ZXhhbXBsZS5vcmciPjxzdmcvb25sb2FkPXByb21wdCgneHNzJyk+ xss will pop up

Impact attacker is able to execute javascript code on users

danbf avatar Nov 29 '21 21:11 danbf

the go port solved this by ensuring a text/plain is always returned rather then a text/html

https://github.com/mccutchen/go-httpbin/pull/68

danbf avatar Nov 30 '21 15:11 danbf