podinfo Reflected Cross-Site Scripting Vulnerability in Echo Endpoints

A reflected cross-site scripting vulnerability has been identified in podinfo versions through 6.11.2. The issue resides in the '/echo' and '/api/echo' endpoints, where the 'echoHandler' function writes the request body content directly to the response without including explicit 'Content-Type' or 'X-Content-Type-Options' headers. This oversight allows attackers to create cross-origin HTML pages with auto-submitting forms that contain script payloads in the request body. When these payloads are reflected back as 'text/html' due to Go's content type detection, the scripts execute in the context of the podinfo origin when victims visit the attacker's page.

Impact

Exploitation of this vulnerability allows for arbitrary JavaScript execution in the podinfo origin context. This could lead to DOM manipulation, phishing attacks, and same-origin request forgery from the victim's browser. Additionally, if podinfo is deployed under a shared cookie scope, such as a '*.example.com' staging environment, the impact could extend to that scope's trust boundary.

Reproduction

To reproduce this vulnerability, first deploy podinfo version 6.11.2. Then, send a POST request to the '/api/echo' endpoint with a script payload in the request body. The server will respond with the payload reflected as 'text/html', which can be verified by the presence of the 'X-Color' header. This response can be delivered to a victim via a cross-origin HTML page that auto-submits the form, executing the script in the context of the podinfo origin.

Remediation

To address this vulnerability, set an explicit non-HTML 'Content-Type' header, add 'X-Content-Type-Options: nosniff', and implement a restrictive 'Content-Security-Policy' before writing the echoed body. After applying this patch, the '/echo' and '/api/echo' endpoints will no longer render responses as HTML, effectively mitigating the cross-site scripting risk.