Text Injection in Error Pages - Rainforest

By: vinothpkumar

October 20, 2016

By: vinothpkumar

October 20, 2016

flaming-8-1545848-1280x960

Hi Readers,

Probably, this is one of the easiest security issue (missing best security practices) one can find in any web application. Whenever you try to access any url which is not in the server, you get 404 page. But sometimes, the error message will be displayed like as shown below.

URL : rainforestqa.com/test

As you can see, our input (“/test”) is being reflected in the web page. The attacker can make use of this opportunity to embed his own input.

https://goo.gl/NngrjJThe above URL will be rendered as shown below:

rainforestqa 1.png

Even though it is not a security issue, it is advisable not to render user inputs in the error message. Instead, throw a 404 error page. Most companies don’t accept it as a security issue. But I really appreciate Rainforest team to consider my submission. They fixed even this low impact issue. Please find the image below.

rainforest 3.png

I’ve written a blog post on the same: https://www.tutorgeeks.net/2016/10/text-injection-in-error-pages.html

Thanks and Regards,

Vinoth Kumar

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry