During a recent pentest, we came across the Apache Jetspeed 2 HTTP server. After a few hours of testing, I realised that the web application was vulnerable to an unauthenticated reflected XSS attack. However, I was limited, as I could not use < or > in the URL, as Jetspeed would return a 400 Bad Request HTTP response.
I could break out of an attribute that was storing the URL with a double-quote ("), though, so I could control the attributes on a random element. A specially crafted URL could define a style attribute making the arbitrary HTML element take up the entire page, then an onmouseover attribute could execute random javascript. I ended up with a generic URL that looked like this (URL encoded):
If you unencode the URL, the attack becomes obvious:
http://192.168.0.7:8080/jetspeed/portal/fdsa" style="padding-top:5000px;display:block;position:fixed;top:0;left:0;" onmouseover="javascript:alert(1)"
So, it's an 0day right? I thought so when I went to bed that night.
It turns out, someone told Apache about this in 2012. Originally, Jetspeed DID allow < and > in the URI. This was reported in 2007 as an XSS vulnerability and the fix seems to be to return a 400 Bad Request when they are introduced in the URI. However, in 2012, someone messaged the Jetspeed dev mailing list, showing basically the technique I came up with to achieve javascript execution. They recieved an out of office email, and no subsequent replies.
IE and Chrome both have client side XSS protections that make this attack difficult, but Firefox by default has no problem.