Skip to content

XSS from params parser exception (status code : 400) #1428

Closed
Closed
XSS from params parser exception (status code : 400)#1428
Assignees
namusyakajkowens
Milestone
v2.0.2
@JokerCatz

Description

@JokerCatz
JokerCatz
opened on May 22, 2018

source at :

sinatra/lib/sinatra/base.rb

Line 78 in 3fa1f2c

def params 

def params
  super
rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError => e
  raise BadRequest, "Invalid query parameters: #{e.message}"
end

demo code

# server.rb
require 'sinatra'
# yes ... it empty just require sinatra gem

call curl like

curl -i 'http://127.0.0.1:4567/' --data $'" %x\\"> <script>alert(1)</script>"'

return

HTTP/1.1 400 Bad Request
Content-Type: text/html;charset=utf-8
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Length: 81

Invalid query parameters: invalid %-encoding (" %x\"> <script>alert(1)</script>")

I know it 400 , but the error message can be HTML ... & no way to disable / filter it ...

and you can use code like this to overwrite it

module Sinatra
  class Request < Rack::Request
    def params
      super
    rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError => e
      raise BadRequest, "404"
    end
  end
end

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions