W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2018

RE: Transfer-Encoding and XSS

From: Eric Lawrence <Eric.Lawrence@microsoft.com>
Date: Tue, 25 Sep 2018 14:42:11 +0000
To: Ricardo Iramar dos Santos <riramar@gmail.com>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <BN6PR21MB0787BDE0C311671975D65C30F7160@BN6PR21MB0787.namprd21.prod.outlook.com>
Anecdotally, I’ve never seen a browser itself specify a Transfer-Encoding on a *request*.

The use of Content-Encoding: gzip on certain uploads has been proposed at various points (and possible via e.g. Flash, IIRC) but it suffers from the general challenge that there’s no good way to understand whether the server will accept such encoding (and protect itself from Zip bombs attacks, etc).

From: Ricardo Iramar dos Santos <riramar@gmail.com>
Sent: Monday, September 17, 2018 11:16 AM
To: WebAppSec WG <public-webappsec@w3.org>
Subject: Transfer-Encoding and XSS

Hi All,

I know Transfer-Encoding request header per specification (xmlhttprequest and fetch) cannot be defined by the user so I'm trying to check when the browsers use it. I've already google it but I couldn't find something really clear.
What I'm trying to achieve is check if it's possible to an attacker exploit a XSS using a cross domain request take advantage of this PHP issue https://bugs.php.net/bug.php?id=76582<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.php.net%2Fbug.php%3Fid%3D76582&data=02%7C01%7CEric.Lawrence%40microsoft.com%7C2148dfbadd864214e87108d61cb93a33%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636727979200438801&sdata=b723P%2B9M4XSXr6%2FCFPYfsMbv3AsZiBRDyaPR7iBbjZw%3D&reserved=0>. Basically what happens is if a Apache+PHP server receive a POST request with "Transfer-Encoding: chunked" header the request body is reflected on the response body.

Thanks!
Ricardo Iramar
Received on Tuesday, 25 September 2018 14:42:34 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 25 September 2018 14:42:35 UTC