How to bypass response Location in order to obtain content XSS?

Question

In some basic steps:

POST Request containing a photo with multipart/form-data.
HTTP/1.1 302 Found respond with redirect back to formular
Redirect to initial formular.

In case 1 we are able to control the filename allowing us to use any kind of payload we want.

In case 2 we are able to see in response the XSS payload, but no execution (let the fun begin) because of Location header.

In case 3 we see the file name which is laravael encoded response... => no XSS.

Explained:

Step 1:

POST /upload/file HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: https://example.com/upload
Content-Type: multipart/form-data; boundary=---------------------------172863706614177227892012498540
Content-Length: 8331
Cookie: laravel_session=not_your_problem
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------172863706614177227892012498540
Content-Disposition: form-data; name="doc_1"; filename="<!DOCTYPE html><script>alert('XSS'); .png"
Content-Type: image/png

Step 2:

HTTP/1.1 302 Found
Server: nginx/1.12.2
Content-Type: text/html; charset=UTF-8
Connection: close
Cache-Control: no-cache
Location: https://example.com/upload
Date: Tue, 08 May 2018 12:49:50 GMT
Set-Cookie: laravel_session=laravel_session=not_your_problem; path=/
Strict-Transport-Security: max-age=31536000
Content-Length: 535

  adding: <!DOCTYPE html><script>alert('XSS'); .png (deflated 14%)
<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8" />
        <meta http-equiv="refresh" content="1;url=https://example.com/upload" />

From what I know of Laravel framework and other websites, applications and so on add a content base redirect (even if there is a header one like Location) for extra redundancy like <meta http-equiv="refresh" content="1;url=something".

In what circumstances and how I might be able to bypass the Location header in order to execute my content and therefore my XSS?

you can't because pages with a location header are never rendered. — dandavis, May 09 '18 at 03:54

score 1 · Accepted Answer · edited Oct 07 '21 at 07:59

If XSS only occurs if the client submits the payload, this isn't really viable unless you can trick them into doing it.

The RFC says that clients may automatically redirect upon receiving an HTTP 302 with the Location header. While a body is required, it can be effectively ignored by the client per the spec.

Therefore, I don't think you can "bypass the Location header", at least when the browser instantly follows the Location header and doesn't render the page, which seems to be the prevalent behavior.

It might be possible, if the client has any influence on the headers returned by the server, to perform an HTTP response splitting attack, where the Location header could be modified or bypassed entirely. Again, this would likely require the victim to submit the crafted request themselves, making this an unlikely avenue.

How to bypass response Location in order to obtain content XSS?

1 Answers1