mccutchen go-httpbin Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability exists in mccutchen go-httpbin version 2.17.1 and prior. This issue allows attackers to execute arbitrary web scripts or HTML by manipulating the Response Content-Type through GET parameters. Exploitation can lead to the execution of scripts in the context of the victim's browser, potentially accessing sensitive information such as cookies or CSRF tokens.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute scripts in the context of the victim's browser. This could lead to the injection of cookies, access to CSRF tokens, and execution of phishing attacks, among other actions that JavaScript can perform.

Reproduction

To reproduce this vulnerability, visit one of the following URLs: 1. `/response-headers?Content-Type=text/html&xss=<img/src/onerror=alert('xss')>` 2. `/base64/PGltZy9zcmMvb25lcnJvcj1hbGVydCgneHNzJyk+?content-type=text/html` 3. `/base64/decode/PGltZy9zcmMvb25lcnJvcj1hbGVydCgneHNzJyk+?content-type=text/html`

Remediation

Users are advised to update to version 2.18.0, where this vulnerability has been patched.