Django Form and Cross Site Scripting (Reflected) Alert

46 views
Skip to first unread message

Jarad C

unread,
Feb 11, 2021, 9:05:02 PM2/11/21
to OWASP ZAP User Group
In my Django project, I have a search input in the navbar across most pages on my site.

I'm a beginner to OWASP ZAP. After running the scan, one of the high priority alerts (red flag icon) raised was "Cross Site Scripting (Reflected)".

In my case, this is my website search `form`:

    <form method="GET" id="searchForm">
      <input type="text" name="q"
             id="searchQuery" placeholder="Search..." autocomplete="off" maxlength="100" required="">
    </form>

if someone searches for `javascript:alert(1);` in the search box, the `value=` attribute contains the same.

    <form method="GET" id="searchForm">
      <input type="text" name="q" value="javascript:alert(1);"
             id="searchQuery" placeholder="Search..." autocomplete="off" maxlength="100" required="">
    </form>

Is this is a potentially vulnerability or is the input is being sanitized by Django? This form is created using a Django `forms.ModelForm`:

    class SiteSearchForm(forms.ModelForm):
        class Meta:
            model = Search
            fields = ('q',)

Simon Bennetts

unread,
Feb 12, 2021, 11:14:01 AM2/12/21
to OWASP ZAP User Group
What is the attack that ZAP reports?
The payload you have given doesnt look like it would trigger an XSS bsed on the HTML you've given but its not possible for us to know what effect other payloads would have.
I dont use Django so that code snippet means nothing to me :)

Cheers,

Simon

Scott Gerlach

unread,
Feb 12, 2021, 11:29:07 AM2/12/21
to OWASP ZAP User Group
Hi,

ZAP does a bunch of XSS testing, but there are so many possible iterations that it's hard to test ALL of the possibilites. In this case, it looks like it got triggered as a Positive and is likely an XSS.

I haven't used the formModel in Django much, but based on some research it looks like you could add some additional checking to the clean() function in your form.

I *think* Django is doing some protection here, but I'd have to test some more to validate. This looks like a great question to ask over in the Django forum https://forum.djangoproject.com/c/users/6

Sorry I couldn't more more perscriptive.

-Scott
Reply all
Reply to author
Forward
Message has been deleted
0 new messages