Apps built using Go could be vulnerable to XSS exploits

4 years ago 183
BOOK THIS SPACE FOR AD
ARTICLE AD

John Leyden 03 September 2020 at 12:46 UTC

Do not pass Go. Do not collect $200

Apps built using Go could be vulnerable to XSS exploits

Inconsistent behavior of Go’s CGI and FastCGI interfaces may lead to cross-site scripting (XSS) security vulnerabilities in apps built using older versions of the programming language.

Security researchers at German firm RedTeam Pentesting discovered that CGI and FastCGI implementations in the Go standard library behave differently from the HTTP server implementation when serving content.

“In contrast to the documented behavior, they [Go's CGI and FastCGI Transport] may return non-HTML data as HTML,” an advisory by RedTeam Pentesting explains.

“This may lead to cross-site scripting vulnerabilities, even if uploaded data has been validated during upload.”

RedTeam Pentesting disclosed the issue to the programmers behind Go, who responded by developing fixed versions (1.14.8, 1.15.1). The patched software was released on September 1.

App developers are advised to use these versions of the programming language in order to avoid risk from the vulnerability (CVE-2020-24553), which RedTeam Pentesting classifies as “medium” risk.

Content-type trickery

Go’s CGI and FastCGI interface is a legacy technology that’s been around since the early 1990s and used for executing applications.

As a result of the vulnerability, an application built using Go might be vulnerable to server-side XSS attacks.

Exploits are possible because a malicious user could upload an upload an image, such as a PNG file, and include a script block with JavaScript in the comment.

When this image is served later, it has the incorrect MIME type, which allows the JavaScript to be execute via the script tag, as it’s (incorrectly) treated as HTML.

Read more of the latest web hacking news

The vulnerability itself is easy to exploit and the impact can be severe.

“The consequences heavily depend on the web application,” RedTeam Pentesting told The Daily Swig.

“In the worst case, the attackers have full control of the user's session and can use the web application in the user's name.”

The researchers added that they are “aware of vulnerable applications in the wild” but are not in a position to disclose any further details at this point.

RECOMMENDED New HTTP request smuggling variants levied against modern web servers

Read Entire Article