Text Injection in Error Pages – Rainforest

October 20, 2016 | Views: 5521

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Hi Readers,

Probably, this is one of the easiest security issue (missing best security practices) one can find in any web application. Whenever you try to access any url which is not in the server, you get 404 page. But sometimes, the error message will be displayed like as shown below.

URL : rainforestqa.com/test

Screen Shot 2016-10-17 at 2.49.54 PM.png

As you can see, our input (“/test”) is being reflected in the web page. The attacker can make use of this opportunity to embed his own input.

https://goo.gl/NngrjJ

The above URL will be rendered as shown below:

rainforestqa 1.png

Even though it is not a security issue, it is advisable not to render user inputs in the error message. Instead, throw a 404 error page. Most companies don’t accept it as a security issue. But I really appreciate Rainforest team to consider my submission. They fixed even this low impact issue. Please find the image below.

rainforest 3.png

 

I’ve written a blog post on the same: http://www.tutorgeeks.net/2016/10/text-injection-in-error-pages.html

Thanks and Regards,

Vinoth Kumar

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
4 Comments
  1. Good effort. The directory structure can be revealed.

  2. Thanks for information.

  3. Pardon me for not seeing the light, but so what? I don’t see anything more than hacking your own browser. Until reflected content reveals something about the server or it’s users it isn’t doing anything useful.
    This looks promising, reflection into pages that really shouldn’t be able to. Depending on the framework I bet some Error Docs could be leveraged to maybe reveal something about directory structure of the http server and that can all too often lead to a rich field of discovery.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel