Open
Description
The HTTP response returns unsanitized value from Accept header. This may allow the attacker to conduct cross-site scripting attack. Technically, the likelihood of exploiting this is very low. It requires the victim to use Internet Explorer with MIME sniffing feature enabled, on top of that, setting the these headers to the victim's request is not really possible from my knowledge. However, I believe it is worth sanitize user input here.
GET /xxx HTTP/1.1
Accept: xxx_<script>alert(/XSS/)</script>_yyy
Host: example.com
Connection: close
HTTP/1.1 406 Not Acceptable
Content-Type: text/plain
...
tigertonic.MarshalerError: Accept header "xxx_<script>alert(/XSS/)</script>_yyy" does not allow "application/json"
The underlying code is as follows:
https://github.com/rcrowley/go-tigertonic/blob/master/marshaler.go
if !isReader && !acceptJSON(r) {
ResponseErrorWriter.WritePlaintextError(w, NewHTTPEquivError(NewMarshalerError(
"Accept header %q does not allow \"application/json\"",
r.Header.Get("Accept"),
), http.StatusNotAcceptable))
return
}
Metadata
Metadata
Assignees
Labels
No labels