3

I have a web application and I used OWASP ZAP for checking XSS. I tried two cases as example bellow:

URL: localhost:8888/test/login

Öogin page HTML:

<!DOCTYPE html>
<html>
<head>
<meta charset="US-ASCII">
<title>Login Page</title>
<script src="https://code.jquery.com/jquery-1.9.1.min.js"></script>

</head>
<body>
<h3>Login with email and password</h3>
<form id="testForm" action="login" method="post">
<strong>User Email</strong>:<input type="text" name="email" id="email"><br>
<strong>Password</strong>:<input type="pass" name="pass" id="pass"><br>
<input type="submit" value="Login" id="subForm">
<div id="result"><%=request.getAttribute("email")%></div>
</form>
<br>
If you are new user, please <a href="register.html">register</a>.
</body>
</html>

Case 1: Application return HTML (HTML response)

  • Start ZAP

  • Submit login form

  • Choose Active scan XSS for this URL: localhost:8888/test/login

    Result: ZAP found 1 XSS alert script

Case 2: Application return JSON (REST API)

URL: localhost:8888/api/login

Request JSON data format: {"email":"abc", "pass": "123456"}

Response JSON data format: {"email":"abc", "pass": "123456"}

  • Using Ajax to call API with JSON request

    <script>

function sendAjax() {

    var user = new Object();

    var email = $('#email').val();

    var pass = $('#pass').val();

    $.ajax({
        url: "localhost:8888/api/login",
        type: 'POST',
        dataType: 'json',
        data: JSON.stringify({"email":email,"pass":pass}),
        contentType: 'application/json',
        mimeType: 'application/json',

        success: function (data) {
            $("#result").html("email: "+data.email+" pass: "+data.pass)
        },
        error:function(data,status,er) {
            alert("error: "+data+" status: "+status+" er:"+er);
        }
    });
}
</script>

  • Start ZAP

  • Click button summit (call sendAjax function to send request data)

  • Choose Active scan XSS for this URL: localhost:8888/api/login

    Result: Nothing found

What exactly I want to known is that: ZAP can check for XSS in rest API or not? If it can't then how can I check for XSS in this API (case 2)?

Anders
  • 64,406
  • 24
  • 178
  • 215
nhatnguyen
  • 31
  • 1
  • 3
  • If your API returns JSON then, in order for your clients to be safe the response from the server must specify the Content-Type, JSON is not a script, its only parsed by the browser, not interpreted, and if the server provides the correct content-type the browser will expect a JSON string (check http://stackoverflow.com/a/3146618/363217) – Purefan Dec 10 '15 at 09:38
  • Thank you. I already set Content-Type to applcation/json but the result is the same. You mean that ZAP can not check XSS for REST API based on JSON response? – nhatnguyen Dec 10 '15 at 10:16
  • I mean, there is no point in checking a JSON response, if its valid JSON then its just a string, and the parsing is beyond your control because its handled natively by the client, if you found some funky code in a JSON response would you not use JSON at all in your client code? – Purefan Dec 10 '15 at 12:15
  • You would attract more readers and answers if you made your question a bit easier to read. Could you clarify what you ultimately want to achieve, what ZAP is, what exactly you tried, what you expected to happen, what actually happened? From there on it should be clearer what precise questions you need to ask and how we should answer them. – Steve Dodier-Lazaro Dec 10 '15 at 14:10
  • Have you tried the DOM XSS add-on? https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsDomxssDomxss Simon (ZAP Project Lead) – Simon Bennetts Dec 10 '15 at 14:33
  • Thanks all. I have updated my question. Maybe it is easier to understand. Please help me review it – nhatnguyen Dec 11 '15 at 02:54

2 Answers2

1

Purefan already answered your question in the comments, but this it a little expanded.

A XSS attack is not possible if the web site return a JSON using the Content-type: application/json header. Why? Because a JSON is just a string, so it doesn't matter if your site returns{123 : alert('blablabla')} because that's just a string.

On the other hand, a XSS works because the client interprets the response HTML, so that's why ZAP is detecting the XSS when you a returning a HTML instead that the JSON.

The Illusive Man
  • 10,487
  • 16
  • 56
  • 88
  • This is false in respect to the question. In the question the returned JSON is used to update the DOM using jQuery's .html() funciton. The jQuery .html(...) function is vulnerable to XSS because it allows HTML markup in the string and ends up evaluating that. It is noted here: http://api.jquery.com/html/ in the "Additional Notes" section. – PålOliver Mar 09 '16 at 08:49
0

If your API returns JSON then, there is possibility of XSS on the UI (Client) if and only if the application does not properly parse the JSON at the UI (Client).

Check if server is validating the content-type, because it may lead to CSRF.

Please review this related answer on StackOverflow: Is it possible to XSS exploit JSON responses with proper JavaScript string escaping?

Community
  • 1
ammy
  • 1
  • 2