You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Take for example a website www.example.com that has a page at path /sites that has mainly text and no input or form.
And the attacker uses URL like /sites?q=%3Cscript%3Ealert(1)%3C/script%3E or /sites/%3Cscript%3Ealert(1)%3C/script%3E or similar URL to make their intention appears anywhere on the page. But since the website does not have such URL, it will go to the NextJS 404 page or custom not-found.tsx, but that attacking URL is still on the URL bar.
So this kind of situation usually will trigger DAST scans like Fortify and will mark it as XSS reflected. Eventhough such page doesn't exists, but because of the attacking patterns still lingering on the URL bar (page showing 404) or the modified request header is still intact, therefore it will trigger red alert on the DAST scan.
So i want to ask, how exactly people tackle such situation. Im sure enterprise grade app built using NextJs will have their app scanned first before going live to ensure that every attacking holes are covered properly. My initial idea was to redirect the page to our custom 404 page at /error path when hitting non-existant URLs like above, but seems like the scan still mark it as XSS reflected.
Is there a way to make NextJs safe from XSS reflected attack, aside from the usual sanitizing input and data, avoid using red flag like dangerouslySetInnerHtml, strengthen header through CSP? What else have i missed?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Summary
Take for example a website
www.example.comthat has a page at path/sitesthat has mainly text and no input or form.And the attacker uses URL like
/sites?q=%3Cscript%3Ealert(1)%3C/script%3Eor/sites/%3Cscript%3Ealert(1)%3C/script%3Eor similar URL to make their intention appears anywhere on the page. But since the website does not have such URL, it will go to the NextJS 404 page or custom not-found.tsx, but that attacking URL is still on the URL bar.So this kind of situation usually will trigger DAST scans like Fortify and will mark it as XSS reflected. Eventhough such page doesn't exists, but because of the attacking patterns still lingering on the URL bar (page showing 404) or the modified request header is still intact, therefore it will trigger red alert on the DAST scan.
So i want to ask, how exactly people tackle such situation. Im sure enterprise grade app built using NextJs will have their app scanned first before going live to ensure that every attacking holes are covered properly. My initial idea was to redirect the page to our custom 404 page at
/errorpath when hitting non-existant URLs like above, but seems like the scan still mark it as XSS reflected.Is there a way to make NextJs safe from XSS reflected attack, aside from the usual sanitizing input and data, avoid using red flag like dangerouslySetInnerHtml, strengthen header through CSP? What else have i missed?
Additional information
No response
Example
No response
Beta Was this translation helpful? Give feedback.
All reactions