Problem: Reflected Cross Site Scripting XSS Attack

Hello,

i got a problem with one of my modx site. it is possible to use urls like this

https://www.domain.de/blog/webblog/Arbeitsrechtz3q28"><img%20src=a%20onerror=alert(‘XSS_Attack’)>pjbsf/%20HTTP/1.1/

i dont know how to fix this, i think my friendly url settings was the problem… has anyone an idear/tipp?

thx
chris

Are you doing anything with the url that’s unsanitized? XSS works when pasting untrusted user input into markup; that must be happening with the URL here.

Perhaps it’s added into a canonical or other meta tag without applying htmlentities to it.

hi mark,

no i do nothing with urls like this. it is a result from a security report, thats mean it is a scurity vulnerability.
the customer ask me to fix it…

For such an attack to work, the malicious url must somehow be reflected back to the user in the response of the server. That means, somewhere in the page source there has to be the unchanged requested url.

So what exactly happens when call your site with this malicious url?
Does it show the error page? Do you have a message there like “the url … could not be found” that outputs the requested url?

hi halftrainedharry,

the complete/correct url is: https://www.sbs-legal.de/blog/webblog/Arbeitsrechtz3q28"><img src=a onerror=alert(‘XSS_Attack’)>pjbsf/ HTTP/1.1/

this is an example from the security scan tool. a hint/warning this page susceptible for XSS Attacks see this example. customers wish is to prevent url strings/methods like this.

In the <head>-section of your page it outputs the requested url:

...
<link rel="canonical" href="https://www.domain.de/blog/webblog/Arbeitsrechtz3q28"><img src=a onerror=alert('XSS_Attack')>pjbsf/ HTTP/1.1/"/>
</head>

Find the template/chunk where you output this <link>-tag and apply the htmlentities output modifier.

Btw. You probably shouldn’t publicly release your real domain name when you have security issues.

1 Like

Thx so far,

strange is, the Tag <link rel=“canonical” href=…"> is in none of my TPL, Chunks…
i think this will enerate by blogit, or the will be hacked ;(

the problem alredy exist in the blogit content/blogs

I don’t think that BlogIt generates the <link>-tag. It has to be another extra.
I would do a search in the core/components directory to find the culprit.

1 Like

Hi halftrainedharry,

i got it, thanks for the tip. i search in path core/components for canonical and find it in pdopage.php

First of all i disable the meta chunk for pdoPage
setMeta 0 = Registration of meta tags with links to previous and next page.

Now the < Tags will no longer be create

This topic was automatically closed 2 days after discussion ended and a solution was marked. New replies are no longer allowed. You can open a new topic by clicking the link icon below the original post or solution and selecting “+ New Topic”.

I’ve created a patch for pdoTools.