Service Stack - Security XSS Query following pentest
We recently had a penetration test done, and one of the "high" items was the fact that our servicestack API will reflect back user input unmodified to the caller. E.g. I can send some script tags in to a GET request, and will get an error on back from the API with the script tags in it:
Has anyone else experienced this, or is there anything built in to servicestack to prevent it?
Thanks!
Solution
You can modify the Exception Message by overriding OnExceptionTypeFilter in your AppHost, e.g:
public class AppHost() : AppHostBase("My App"), IHostingStartup
{
public override void OnExceptionTypeFilter(
Exception ex, ResponseStatus responseStatus)
{
base.OnExceptionTypeFilter(ex, responseStatus);
responseStatus.Message = Sanitize(responseStatus.Message);
}
//...
}
- Symfony Voter constant usages
- Creating a PHP function triggered when shady DROP like queries are performed
- Threat detection with Sysmon .csv log using Sigma Rules
- Does Microsoft have a recommended way to handle secrets in headers in HttpClient?
- How to set access_control to disallow users having a 'ROLE_USER' to access path: ^/login after successful login?
- C++ const std:string& security when passing to a third-party API
- login-info.cfg Splunk file semantic and structure
- Is it possible to stop duplicating docker images?
- How can I override a system call table entry with my own function?
- Where to store JWT in browser? How to protect against CSRF?
- Difference between processes running in kernel mode and running as root?
- Found a weak escape function for MySql, how to exploit?
- Are security concerns sending a password using a GET request over https valid?
- Adding an SSL Certificate to JRE in order to access HTTPS sites
- Why is serving static files insecure
- Implementing Custom Expression Handling with Spring Security 6
- Can string sanitisation via PHP's str_replace() be bypassed using multibyte or invisible characters?
- Clarification regarding SOC-2 compliance in multiple locations
- What is Boto3 Inspector v2 list_findings' nextToken initial value?
- Which is more secure: EncryptedSharedPreferences or storing directly in KeyStore?
- What Does /**/or/**/ Mean?
- Why does Google prepend while(1); to their JSON responses?
- How can I sanitize user input with PHP?
- Symfony User Logout After Role Change
- PHP: Is mysql_real_escape_string sufficient for cleaning user input?
- How to redirect HTTP requests to HTTPS using Spring Security Java configuration?
- Where does one go to get security alert notifications?
- Xmlrpc is vulnerable to xxe attack?
- InvalidKeySpecException In Java
- How to hide only sensitive arguments in PHP's debug_backtrace?