Text Injection in Error Pages - Rainforest

Hi Readers,

Probably, this is one of the easiest security issue (missing best security practices) one can find in any web application. Whenever you try to access any url which is not in the server, you get 404 page. But sometimes, the error message will be displayed like as shown below.

URL : rainforestqa.com/test

As you can see, our input (“/test”) is being reflected in the web page. The attacker can make use of this opportunity to embed his own input.

https://goo.gl/NngrjJThe above URL will be rendered as shown below:

Even though it is not a security issue, it is advisable not to render user inputs in the error message. Instead, throw a 404 error page. Most companies don’t accept it as a security issue. But I really appreciate Rainforest team to consider my submission. They fixed even this low impact issue. Please find the image below.

 I’ve written a blog post on the same: https://www.tutorgeeks.net/2016/10/text-injection-in-error-pages.html

Thanks and Regards,

Vinoth Kumar