Koa redirect can lead to XSS
See original GitHub issueThis issue is related to #363. Koa redirect can lead to a XSS if a JavaScript URL is passed.
Details:
- Koa prints the redirected URL in the body of the redirect response here
- Koa escapes the URL prior to including it in the body of the response here
- Unfortunately, the escaping routine escapes for HTML, not for URLs here
- For this reason, it is possible to mount a XSS attack by passing in a javascript URL to redirect.
Proof-of-concept:
const Koa = require('koa');
const app = new Koa();
app.use(async ctx => {
ctx.redirect("javascript:alert(1);")
});
app.listen(3000);
Followed by: curl 'http://localhost:3000/'
Issue Analytics
- State:
- Created 5 years ago
- Comments:8 (4 by maintainers)
Top Results From Across the Web
Koa.JS Invulnerability Analysis a.k.a Why the Security Industry ...
“Open Redirect leading to Cross-Site Scripting”? First of all, there was no open redirect. It's only open if you open it and the...
Read more >Open Redirect in koa-remove-trailing-slashes | Snyk
Affected versions of this package are vulnerable to Open Redirect via the use of trailing double slashes in the URL when accessing the ......
Read more >URL Redirection to Untrusted Site ('Open Redirect') in koa-remove ...
The package koa-remove-trailing-slashes before 2.0.2 are vulnerable to Open Redirect via the use of trailing double slashes in the URL when accessing the ......
Read more >Security - Egg - Eggjs.org
Due to redirect from a trusted site, users will be more trust, so redirect risk is commonly used in phishing attacks, by going...
Read more >Reason: CORS request external redirect not allowed - HTTP
Reason: CORS request external redirect not allowed. Reason ... the CORS request will fail in this manner. ... Learn how to contribute!
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I agree with @vladshcherbin comment. Developers are unlikely to be aware that Koa generates an HTML page before issuing a redirect and might simply dismiss non
http(s):
URLs as invalid redirect destinations.This is developer responsibility imo, closing. If you wish to open a code based PR for review (e.g. an option as @fl0w mentioned) or a PR to update the docs, it is more than welcome. Please reference this issue number in your commit/PR, thank you.