Service Stack - Security XSS Query following pentest
We recently had a penetration test done, and one of the "high" items was the fact that our servicestack API will reflect back user input unmodified to the caller. E.g. I can send some script tags in to a GET request, and will get an error on back from the API with the script tags in it:
Has anyone else experienced this, or is there anything built in to servicestack to prevent it?
Thanks!
Solution
You can modify the Exception Message by overriding OnExceptionTypeFilter in your AppHost, e.g:
public class AppHost() : AppHostBase("My App"), IHostingStartup
{
public override void OnExceptionTypeFilter(
Exception ex, ResponseStatus responseStatus)
{
base.OnExceptionTypeFilter(ex, responseStatus);
responseStatus.Message = Sanitize(responseStatus.Message);
}
//...
}
- how to secure my website
- Understanding CSRF
- Why can't a malicious site obtain a CSRF token via GET before attacking?
- REST API from mobile app - Does securing the first call with a CAPTCHA make sense?
- How to disable access security notice "A Potential security concern has been identified"
- Addressing critical vulnerabilities in Maven dependencies
- IDX10503: Signature validation failed. Token does not have a kid. Keys tried: 'System.Text.StringBuilder'
- How can I obtain the user's Logon Session SID (e.g. S-1-5-5-X-Y) or otherwise verify RMF SC-23 Unique Identifiers in Windows
- Is it secure to store passwords as environment variables (rather than as plain text) in config files?
- How can I skip old vulnerabilities and break only with new ones using Snyk scan on Azure DevSecOps?
- Generating a random password in php
- Access token and Refresh token best practices ? How to implement Access & Refresh Tokens
- Securely storing an access token
- Why does angular add ng-version attribute to the app-root html tag
- How to properly handle secrets in a local.settings.json file when adding the function source code to a source control repository
- Conditional Column-level permissions in PostgreSQL
- Embedding youtube video "Refused to display document because display forbidden by X-Frame-Options"
- How can I prevent SQL injection in PHP?
- IFrame security and CORS
- Should I impose a maximum length on passwords?
- <app> would like to access data from other apps - macOS Sonoma
- SELinux syntax error when optional is used inside a tunable_policy macro
- Generate cryptographically secure random numbers in php
- How to get through security error pages in the Firefox web browser?
- How to handle cookies securely during the REST API call in SWIFT 3 or 4?
- Read/write to NFC tag with password protection
- Request for the permission of type 'System.Security.Permissions.FileIOPermission.. failed
- Azure blocks POST requests from User-Agent Mozilla/5.0 to App Service
- How to read a HttpOnly cookie using JavaScript
- Using PHP to check if there are unsuitable characters in a textarea form