Skip to content

Instantly share code, notes, and snippets.

@s3u

s3u/gist:1794561

Created February 11, 2012 00:41
Show Gist options
  • Save s3u/1794561 to your computer and use it in GitHub Desktop.
Save s3u/1794561 to your computer and use it in GitHub Desktop.
Download ZIP
connect XSS hole
Raw
gistfile1.md

Run a sample app

git clone https://github.com/visionmedia/express.git
cd express
npm install
node examples/ejs/index.js

Then try this

curl -v -k "http://localhost:3000/no5_such3_file7.pl?\"><script>alert(73541);</script>"

The server returns

Cannot GET /no5_such3_file7.pl?"><script>alert(73541);</script>
@tj
Copy link

tj commented Feb 11, 2012

as text/plain, but yeah depending on the client i can see that being troublesome :)

@s3u
Copy link
Author

s3u commented Feb 11, 2012

yeah - this was reported by a security scanner. The fix is quite trivial. Submitting a pull request to connect.

@s3u
Copy link
Author

s3u commented Feb 14, 2012

Here is the pull request for connect - senchalabs/connect#473

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment