I wanted to point out a blog post by the company Detectify (same people that found a vuln in the SNI validation a while ago, but a different issue): https://labs.detectify.com/2018/09/04/xss-using-quirky-implementations-of-acme-http-01/ They found that some implementations of ACME enable cross sit…

Hi @hannob [image] hannob: It turns out some implementations do this in a way that they don’t really care about the token, but always reflect whatever you request under the corresponding url (/.well-known/acme-challenge/token). thanks. This is really not a good idea. My own client sends a 40…

Being able to reflect the requested resource in the body is valuable when you are performing HTTP validation for a domain that is served by many web servers (and are not load-balanced through a single endpoint). It saves having to deploy challenges to each server, rather each server just has to be …

I think other clients may also have implemented a “stateless mode” directly inspired by the one from acme.sh. But maybe not. See https://community.letsencrypt.org/search?q=%22stateless%20mode%22 for discussions about this. @Neilpang , I think @_az is right that your implementation will not create…

I agree with you too. And I will check more details about this issue soon, and restrict the regular expression more. Also, are you aware of whether any other implementations were deployed that were inspired by yours? Sorry, I can not remember. Thanks.

XSS via ACME implementations

Issuance Tech

felixf September 15, 2018, 1:18pm 2

You might also be interested in this discussion: Is .well-known/acme-challenge/ an XSS risk

Topic		Replies	Views
Is .well-known/acme-challenge/ an XSS risk Server	8	5566	August 4, 2018
Acme.sh will run arbitrary commands from the configured CA (Fixed in 3.0.6) Client dev	19	2233	June 9, 2023
Is it allowed for an ACME server to use the same token for several authorizations? Client dev	10	227	January 30, 2026
[Suggestion] Let's Encrypt operated, TXT-only DNS Hosting for DNS challenges Feature Requests	18	8852	January 15, 2018
DNS01: How is the challenge supposed to be formatted? Client dev	12	2895	March 25, 2019

XSS via ACME implementations

Related topics