Hi Jörg, Thanks for reply. We tested in RHEL 5.10
Please find below screenshot how its tested. Here its response from server is *400 Bad response. * For request: wget http://192.168.0.56:9200/anyPath <https://lh5.googleusercontent.com/-9pyO9aXdc5A/UrvrrgIXhYI/AAAAAAAAAGU/2KVQjzCQ30U/s1600/400.PNG> How can I respond with custom error message instead of 400 Bad Request in the response*.* BR, Chethan On Monday, December 16, 2013 7:06:06 PM UTC+5:30, Jörg Prante wrote: > > 400 Bad Request is a proper response in respect to > http://tools.ietf.org/search/rfc2616#section-10.4.1 > > Access-Control-Allow-Origin: * is to ease javascript development > http://www.elasticsearch.org/tutorials/javascript-web-applications-and-elasticsearch/ > > And the code <script>cross_site_scripting.nasl</script> is not executed at > all, is it? > > Can you describe the environment in which an exploit works? > > Jörg > > > > On Mon, Dec 16, 2013 at 8:09 AM, Chethan B D > <[email protected]<javascript:> > > wrote: > >> Hi All, >> >> *Issue:* elastic search server (port:*9200*) is prone to the XSS >> vulnerability. >> >> *version: *0.19.8 >> >> *Environment:* RHEL 5.10 >> >> *Vulnerability Description:* >> The elastic search server fails to adequately sanitize request strings of >> malicious JavaScript. >> So, an attacker may be able to cause arbitrary HTML and script code to be >> executed in a user's browser within the security context of the affected >> site. >> >> *The request string used to detect this flaw was :* >> /scripts/uw12snbk.asp?<script>cross_site_scripting.nasl</script> >> >> *The output was :* >> >> HTTP/1.1 400 Bad Request >> Access-Control-Allow-Origin: * >> Content-Type: text/plain; charset=UTF-8 >> Content-Length: 108 >> >> *No handler found for this uri* >> [/scripts/uw12snbk.asp?<script>cross_site_scrip >> ting.nasl</script>] and method [GET] >> >> So, Is there a Elastic Search server configuration which can prevent XSS? >> which can provide proper handler message instead of *400 Bad Request in >> the response.* >> >> BR, >> Chethan >> >> -- >> You received this message because you are subscribed to the Google Groups >> "elasticsearch" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/elasticsearch/93657597-9cb9-4e87-b7cf-d97d2ba113bf%40googlegroups.com >> . >> For more options, visit https://groups.google.com/groups/opt_out. >> > > -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/6e12cd71-b9af-441d-be97-81d4bfeb861f%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
