This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Prevent redirection from URL injection in the Developer Portal

Posted on 01-30-2024 10:50 AM
vernon08
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi Everyone,

We have a concern about security vulnerability on our developer portal. It is related to URL injection that allows user to redirect to other sites.

Below is the example URL injection:

https://<hostname>/files/..%5C..%5C..%5CPOC%20HTTP/1.1%0aHost%3A%20example.com%0A%0A

We tried to add the below in the Content Security Policy(CSP) ( Publish -> Portals -> Security -> ); but it is not preventing the redirection. Could you please let us know what is missing? Is there any way to prevent such injection attacks?

- default-src 'unsafe-eval' 'unsafe-inline' * data:
- default-src 'self' 'unsafe-url' 'unsafe-eval' 'unsafe-inline' * data:
- default-src 'self' 'unsafe-url' 'unsafe-eval' 'unsafe-inline' * data: referrer no-referrer

Regards,
Vernon

0 5 494
0 Likes
5 REPLIES 5
Top Solution Authors
View all