N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-p4f6-h8jj-vfvf

GHSA-p4f6-h8jj-vfvf: Duplicate Advisory: Reflected XSS in go-httpbin due to unrestricted client control over Content-Type

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-528q-4pgm-wvg2. This link is maintained to preserve external references.

Original Description

A cross-site scripting (XSS) vulnerability in mccutchen httpbin v2.17.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-p4f6-h8jj-vfvf

GHSA-p4f6-h8jj-vfvf:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/mccutchen/go-httpbin/v2	go	< 2.18.0	2.18.0
github.com/mccutchen/go-httpbin	go	<= 1.1.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a reflected Cross-Site Scripting (XSS) issue in the go-httpbin library. The root cause is that certain endpoints allowed the client to control the Content-Type of the response via a query parameter. When a "dangerous" content type like text/html was provided, the browser would attempt to render the response body as HTML. The application did not properly sanitize or escape user-provided input that was reflected in the response body, leading to XSS.

The analysis of the patch between the vulnerable version v2.17.1 and the patched version v2.18.0 reveals the exact locations of the vulnerability. The patch introduces an allowlist of "safe" content types (text/plain, application/json, application/octet-string). For any other content type, the application now escapes HTML entities in the response body.

The following functions were identified as vulnerable:

HTTPBin.ResponseHeaders: This function handles requests to the /response-headers endpoint. It reflects all query parameters into the response body as a JSON object. Before the patch, it did not escape the keys or values of these parameters. An attacker could craft a URL with Content-Type=text/html and a malicious payload in another parameter, causing the browser to execute the script. The patch adds escaping for the reflected parameters when a potentially dangerous content type is detected.
HTTPBin.Base64: This function handles requests to /base64/{data} and /base64/decode/{data}. It decodes the base64-encoded data from the URL path and includes it in the response body. Similar to the previous function, the Content-Type could be controlled by a query parameter. An attacker could provide a base64-encoded HTML payload with embedded scripts. The patch mitigates this by escaping the decoded data before it is written to the response if the content type is not on the safe list.

The fix involves checking the Content-Type and applying html.EscapeString to the data being reflected in the response, which is handled by the new mustEscapeResponse and isDangerousContentType helper functions.

Vulnerable functions

HTTPBin.ResponseHeaders

httpbin/handlers.go

The `ResponseHeaders` function was vulnerable to reflected XSS. It reflected user-provided query parameters into the response body without escaping. An attacker could set the `Content-Type` to `text/html` via a query parameter and include a malicious script in another parameter. The browser would then render the response as HTML and execute the script. The patch adds HTML escaping to the reflected parameters when the `Content-Type` is not in a safe-list.

HTTPBin.Base64

httpbin/handlers.go

The `Base64` function was vulnerable to reflected XSS. It would decode a base64 string from the URL and write the decoded content to the response. An attacker could provide a base64-encoded malicious HTML payload and set the `Content-Type` to `text/html` via a query parameter. This would cause the browser to render the malicious content. The patch mitigates this by escaping the decoded content if the `Content-Type` is not on a safe-list.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-p4f6-h8jj-vfvf: Duplicate Advisory: Reflected XSS in go-httpbin due to unrestricted client control over Content-Type

Duplicate Advisory

Original Description

GHSA-p4f6-h8jj-vfvf:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

GHSA-p4f6-h8jj-vfvf: Duplicate Advisory: Reflected XSS in go-httpbin due to unrestricted client control over Content-Type

Duplicate Advisory

Original Description

N/A

N/A

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI