I am having difficulty complying with PCI-DSS this quarter due to the following issue.
When you enter the following into your browser ...
http://www.mygarble.com/main/Community/Chat?command=CHAT_MESSAGE&displayname=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%22
... he answers and, as a result, for some reason that I can’t set, the URL in the browswer address bar changes to the following:
http://www.mygarble.com/main/Community/Chat?command=CHAT_MESSAGE&displayname="><script>alert(123)<%2Fscript>"
You can see that some of the escaped characters in the source URL have been replaced by unescaped characters.
I explained this by saying that FireFox will automatically reformat the URL in the address bar when the server responds no matter how it responds to make it more readable. I told them that there was nothing I could do about it. However, from a fair point of view, they objected that if you try the following URL ...
http://www.google.com/%22%%203E%3Cscript%3Ealert%28123%29%3C%2Fscript%3%20E%22
... when the Google servers respond, the browser does not change the URL and it remains the same:
http://www.google.com/%22%%203E%3Cscript%3Ealert%28123%29%3C%2Fscript%3%20E%22
And they have a point.
So what is going on? I narrowed down the problem, and if I do nothing more than request an empty text file, but add some kind of meaningless request to it ...
http://localhost/http.mygarble.com/hello.txt?displayname=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%22
... lo and behold, it overwrites when my local server responds:
http: //localhost/http.mygarble.com/hello.txt? displayname =% 22% 3E% 3Cscript% 3Ealert% 28123% 29% 3C% 2Fscript% 3E% 22
Fiddler , . Apache.
, -. Typing...
http://localhost/http.mygarble.com/hello.txt?displayname=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%22
... Chrome:
http://localhost/http.mygarble.com/hello.txt?displayname=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%22
IE URL . Opera , , , URL- , . Safari, IE, URL.
Google . - HTTP, URL- .
!
,