Applications created with Go may be vulnerable to XSS vulnerabilities

Leave a Comment / Apps / By

The inconsistent habit of Go’s CGI and FastCGI interfaces can lead to inter-site scripting security (XSS) vulnerabilities in programs created with earlier versions of the programming language.

Security researchers at the German company RedTeam Pentesting have discovered that CGI and FastCGI implementations in the popular Go library behave from the HTTP server implementation when streaming content.

“Unlike documented behavior, they [CGI of Go and FastCGI Transport] can send non-HTML knowledge to HTML,” explains a review by redTeam Pentesting.

“This can lead to scripting vulnerabilities between sites, even if the downloaded knowledge was a validated download.”

RedTeam Pentesting revealed the challenge to Go programmers, who responded with constant versions (1.14.8, 1.15.1).The corrected software was released on September 1.

Application developers are encouraged to use those versions of the programming language to address vulnerability hazards (CVE-2020-24553), which RedTeam Pentesting classifies as “medium” risk.

Go’s CGI and FastCGI interface is a legacy generation that has existed from the beginning and is used to run applications.

Because of this vulnerability, an application created with Go may be vulnerable to server-side XSS attacks.

Exploits are imaginable because a malicious user can simply download an image, such as a PNG file, and come with a script block with JavaScript in the comment.

When this symbol is released later, it has a MIME type, which allows JavaScript to run through the script tag because it treats (ly) like HTML.

Learn more about the latest online piracy news

The vulnerability itself is easy to exploit and its effect can be severe.

“The consequences depend largely on the application of the Internet,” RedTeam Pentesting told the Daily Swig.

“In the worst case, attackers have completed the user’s query and can use the Internet application on behalf of the user.”

The researchers added that they are “aware of vulnerable programs in nature,” but cannot reveal additional main points at this time.

RECOMMENDED New variants of application smuggling http:/// imposed on trendy Internet servers

Suite Burp

vulnerabilities

Clients

Company

Insights

Leave a Comment

Your email address will not be published. Required fields are marked *