How to solve Reflected XSS (Cross-site scripting)

We have an app built on cakephp 4, where some security vulnerabilities have been detected as in the example of this link, where at the end of robots.txt or dynamic url the user can add “We have an app built on cakephp 4, where some security vulnerabilities have been detected as in the example of this link, where at the end of robots.txt or dynamic url the user can add”, which generates an alert popup.

https://example.com/robots.txtlfjad%27%2balert(%27-x-s-s%27)%2b%27sdyh2

I’m trying to understand why this is happening, and how I can prevent this.

Every help is welcome.

Looking at the URL decoded version of your link it is

https://example.com/robots.txtlfjad'+alert('-x-s-s')+'sdyh2

In my app I would get a 404 page since this file is not present inside my webroot folder.

I would start to look into the generated HTML which gets sent to the browser and see where the alert() is being printed without escaping.

After that check your template files which print at those spots.
In my case the template is templates/Error/error400.php which basically outputs the URL which has been requested here:

But this does NOT allow XSS so it could be something on your side.

If its not the error template but some different template then check that and/or got back to the controller which provides the data for that template to see what should be escaped.

1 Like

Thanks.

In the meantime, I found that the reason for the errors lie in the bootstrapUI plugin.