we have a web application that returns
HTTP/1.1 400 Bad Request
...
Content-Type: text/plain;charset=UTF-8
Content-Length: 57
Date: Tue, 14 Apr 2015 19:24:54 GMT
Connection: close
Invalid project area item id
<script>alert(1086)</script>
It is my understanding that relying on Content-Type: text/plain;charset=UTF-8 as the defense to prevent javascript from executing is NOT enough. Rather the output should be encoded, and the input should likely be input validated and garbage thrown out.
What I'm looking for is some crystal clear and official answer on the right approach for handling responses that have javascript where the Content-Type has been set to text/plain.
Anyone have a link (or answer) to an official example of this scenario and right way to handle it? Or is Content-Type: text/plain;charset=UTF-8 all that is needed?
Drakes answer above troubled me, so I created a simple proof of concept to see if I was correct. I am. Even with
Content-Type: text/plain;charset=UTF-8
an application can be compromised with a simple XSS attack.The reason, as I tried to explain below the first time, is that it is the data handling that is important, and the eventual destination and rendering context of the data. The transport is not as important. I created a simple servlet that returns a response just like that of the OP, including the
Content-Type
header. Here's that response:And here's an image of the result. Note that the attack payload was executed: https://flic.kr/p/uRnSgo
Again, the reason is very simple. The data are not being rendered in an AJAX request, but in a consuming web application page, which is an HTML page.
Anyhow, I hope that removes any doubt about being vulnerable in some cases... especially when the response is to an AJAX request that will be rendered in a consuming page.
----- Below is my original response. -----
A 400 response with an error message smells of a REST API response to me.
If this was a REST request (
X-Requested-With: XMLHttpRequest
orAccept: application/json
in the request headers), then you face a serious issue. Although this response is not affected, the data will likely be picked up and displayed in the end user's UI by the consuming page. Since it is not properly encoded, it will execute. It's not always this response you have to worry about, but the eventual disposition of the attack payload. Assuming this is the response to an XMLHttpRequest or REST call, this is a serious bug.You could test with an attack payload of
<iframe src=javascript:alert(1)></iframe>
and I bet you'll see that pop in the consuming application.I would suggest:
Invalid project area item id
and leave out the invalid value. Cheapest solution.So, no you cannot in general rely on
Content-Type
to save you. The data may be displayed in another context where it will execute.Always validate input and properly handle output, which may include encoding in some format or other, depending on the context in which it will be rendered. Anybody telling you otherwise is trying to get out of some required work. :-)