Possible open redirect vulnerability #18

Open
opened 2 months ago by neri · 0 comments
neri commented 2 months ago
Owner

https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html

When uploading an html document that includes a <script> the attacker can redirect to any website.

This isn't so bad, it just allows datatrash to be used as an unchecked link shortener, which should be avoided.

The fix would be to add a strict CSP to datatrash and make sure that no executable content will be served in such a way that the browser runs it.

Possible CSP fix: Only allow styles/scripts/etc from paths that belong to the application and are not uploaded files

https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html When uploading an html document that includes a `<script>` the attacker can redirect to any website. This isn't so bad, it just allows datatrash to be used as an unchecked link shortener, which should be avoided. The fix would be to add a strict CSP to datatrash and make sure that no executable content will be served in such a way that the browser runs it. Possible CSP fix: Only allow styles/scripts/etc from paths that belong to the application and are not uploaded files
Sign in to join this conversation.
No Label
No Milestone
No Assignees
1 Participants
Notifications
Due Date

No due date set.

Dependencies

No dependencies set.

Reference: neri/datatrash#18
Loading…
There is no content yet.