Sign in to follow this  

[web] Error messages by URL querystring--XSS vulnerability?

Recommended Posts

I have a script that takes a credit card charge. On any kind of failure, it spits the user back to the previous page with an error message in the URL querystring. This string is just printed out to the browser, HTML and all. This sounds at first like a XSS vulnerability, but since it can only happen if someone puts it into their browser themselves, there's no possibility of a drive-by attack, right? I saw GameDev did something like this (that has been used for humor before). Should I be worried about this?

Share this post

Link to post
Share on other sites
Yes, this will definitely provide a route for a XSS attack.

Strings should always be html-escaped in HTML output, in ALL cases, except where you are absolutely sure that either:

- The HTML came from a trusted source who is guaranteed not to have put anything malicious in


- You are satisfied that your HTML-cleaning routine is absolutely bullet-proof.

(Hint: Cleaning HTML is NOT straightforward)


The exploit route is typically by inserting some client-side script code (i.e. javascript) which reads out your users' cookies and sends them to a malicious site.

They can also use it to provide a page which contains a malicious form on what appears to be your legitimate site, e.g. for spoofing attacks.

They can get your authorised users to visit this page by providing a link (or a redirect) to it directly from their own site (or send them an email etc).


Share this post

Link to post
Share on other sites
It's a problem when people can link to that error page, showing their own content from your domain - with something like it's even got a valid SSL certificate from Microsoft, and I expect the code could also read that domain's cookies and send them elsewhere. (Edit: uh, sorry, most of that sentence is redundant given markr's post.)

(Somewhat ironically, it's actually the page showing the error message "A potentially dangerous Request.QueryString value was detected" which prints its own URL (including dangerous query string) and opens itself to XSS attacks.)

If you really want HTML formatting in the error message, it may be best to store all the error messages in a database and just pass the ID number in the URL - that way you're sure the HTML output is coming from a trusted source, and the worst that someone can do is read all your error messages.

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this