However in my case, it is a not a code sent by the developper but a non-persistant XSS.
If I type the url : http://localhost:8080/webapp/services/ -> It displays the http://localhost:8080/webapp/services/ page with the next text : http://localhost:8080/webapp/services/myDefaultWebservice If I type the url : http://localhost:8080/webapp/services/1 -> No such service If I type the url http://localhost:8080/webapp/services/&; -> It displays the http://localhost:8080/webapp/services/ page with the next text : http://localhost:8080/webapp/services/&/myDefaultWebservice (Notice the &) If I type the next url : http://localhost:8080/webapp/services/<script>alert('XSS')</script> I have the popup displayed! Because the next text is displayed : http://localhost:8080/webapp/services/<script>alert('XSS')</script>/myDefaultWebservice If you do not have the same problem, than it means that something else is disturbing the CXF flow in my case... Thanks, Sami -- View this message in context: http://cxf.547215.n5.nabble.com/XSS-flaw-in-Available-SOAP-services-page-tp3398847p3400093.html Sent from the cxf-user mailing list archive at Nabble.com.
