Cross Site Scripting (XSS) vulnerability in WSO2 API Manager Product. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged in user’s session by stealing cookies which means that the malicious hacker can change the logged in user’s password and invalidate the session of the victim while the hacker maintains access.
Proof of concept: (POC)
The following Vulnerability is tested on WSO2 API Manager version 2.6.0 Product.
Issue 01: Stored cross site scripting:
Figure 01: Choose “Edit Content” after creating a document
Figure 02: Clicked on </> to add XSS payload
Figure 03: Use “Save” button to Save the document with added “XSS Payload”
Figure 04: Saving and clicking on </> back stores the XSS payload and executes in the browser
Figure 05: The stored XSS payload gets executed whenever the user loads the page,
Click on “Edit content” after creating a valid document.
Edit the document content value in “content” variable with XSS payload, “”
Now, Whenever the user loads the page the stored XSS payload gets executed in the browser.
Timeline
2019-07-05 – Discovered in WSO2 API Manager v2.6.0
2019-07-06 – Reported to intigriti platform.
2019-07-23 - Closed the issue in intigriti platform saying it as "out of scope"
2019-07-26 – Discovered in WSO2 API Manager version 2.6.0.
2019-07-26 – Reported to security@wso2.com
2019-07-26 – Got instant response from WSO2 security team, "Thanks for your continuous effort on analyzing security vulnerabilities on WSO2 products. We will evaluate your finding and get back to you as soon as possible with our feedback."
2019-08-05 – Got mail from WSO2 team saying, "We were able to reproduce the issue with APIM 2.6.0. We will fix this and provide you with an update."
2019-08-13 - Fixing in all affected versions
2019-09-10 - Customer Announcement is scheduled
2019-10-08 - Got mail saying, "Customer Security Announcement for the issues are scheduled by the end of September"
2019-11-04 - Customer Announcement is done. Public Announcement is done. Please refer [1] for Security Advisory
Details:
WSO2 Product Bug Report Bug Name: Stored Cross Site Scripting (XSS) Product Name: WSO2 Server: WSO2 API Manager Version: 2.6.0 Homepage: https://wso2.com/ Severity: Medium Status: Fixed Exploitation Requires Authentication?: yes
AFFECTED PRODUCTS:
[1] WSO2 API Manager
Description:
Cross Site Scripting (XSS) vulnerability in WSO2 API Manager Product. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged in user’s session by stealing cookies which means that the malicious hacker can change the logged in user’s password and invalidate the session of the victim while the hacker maintains access.
Proof of concept: (POC)
The following Vulnerability is tested on WSO2 API Manager version 2.6.0 Product. Issue 01: Stored cross site scripting:
Figure 01: Choose “Edit Content” after creating a document
Figure 02: Clicked on </> to add XSS payload
Figure 03: Use “Save” button to Save the document with added “XSS Payload”
Figure 04: Saving and clicking on </> back stores the XSS payload and executes in the browser
Figure 05: The stored XSS payload gets executed whenever the user loads the page,
Reproducing Steps
Timeline
2019-07-05 – Discovered in
WSO2 API Manager v2.6.02019-07-06 – Reported to intigriti platform. 2019-07-23 - Closed the issue in intigriti platform saying it as "out of scope" 2019-07-26 – Discovered in WSO2 API Manager version 2.6.0. 2019-07-26 – Reported to security@wso2.com 2019-07-26 – Got instant response from WSO2 security team, "Thanks for your continuous effort on analyzing security vulnerabilities on WSO2 products. We will evaluate your finding and get back to you as soon as possible with our feedback." 2019-08-05 – Got mail from WSO2 team saying, "We were able to reproduce the issue with APIM 2.6.0. We will fix this and provide you with an update." 2019-08-13 - Fixing in all affected versions 2019-09-10 - Customer Announcement is scheduled 2019-10-08 - Got mail saying, "Customer Security Announcement for the issues are scheduled by the end of September" 2019-11-04 - Customer Announcement is done. Public Announcement is done. Please refer [1] for Security AdvisoryNote: Since, we have contributed on WSO2-2017-0265, WSO2-2019-0616, WSO2-2019-0633, WSO2-2019-0634, WSO2-2019-0635, and WSO2-2019-0644 to WSO2 team, our name already got listed in their security acknowledgment page [2]
[1] https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0645 [2] https://docs.wso2.com/display/Security/Acknowledgments
Discovered by: Sathish Kumar Balakrishnan from Cyber Security Research Lab