Thanks for clarifying, I couldn't understand how we were providing an
ability for an external user to alter the text of the services page.
Now you mention by entering address fields in the browser URL field.
Probably best to enter a JIRA ticket for this. I'll test locally on my
end with a dummy web service to see if I can duplicate.
Glen
On 2/25/2011 8:14 AM, sami wrote:
However in my case, it is a not a code sent by the developper but a
non-persistant XSS.
If I type the url :
http://localhost:8080/webapp/services/
-> It displays the http://localhost:8080/webapp/services/ page with the next
text :
http://localhost:8080/webapp/services/myDefaultWebservice
If I type the url :
http://localhost:8080/webapp/services/1 -> No such service
If I type the url
http://localhost:8080/webapp/services/&;
-> It displays the http://localhost:8080/webapp/services/ page with the next
text :
http://localhost:8080/webapp/services/&/myDefaultWebservice (Notice the&)
If I type the next url :
http://localhost:8080/webapp/services/<script>alert('XSS')</script>
I have the popup displayed!
Because the next text is displayed :
http://localhost:8080/webapp/services/<script>alert('XSS')</script>/myDefaultWebservice
If you do not have the same problem, than it means that something else is
disturbing the CXF flow in my case...
Thanks,
Sami
--
Glen Mazza
Software Engineer, Talend (http://www.talend.com)
blog: http://www.jroller.com/gmazza
