search

cybersecurityworks / Disclosed

Disclosing Bugs
3 stars 1 forks source link

Multiple Reflected Cross Site Scripting (XSS) in ''docName', 'version' and 'apiName' of created API document using XSS payload' | WSO2 API Manager version 2.6.0 | WSO2 Product #24

Open cybersecurityworks opened 4 years ago

cybersecurityworks commented 4 years ago

Details:

WSO2 Product Bug Report Bug Name: Multiple reflected Cross Site Scripting (XSS) Product Name: WSO2 Server: WSO2 API Manager Version: 2.6.0 Homepage: https://wso2.com/ Severity: Low Status: Fixed Exploitation Requires Authentication?: yes

AFFECTED PRODUCTS:

[1] WSO2 API Manager

Description:

Cross Site Scripting (XSS) vulnerability in WSO2 API Manager Product. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged in user’s session by stealing cookies which means that the malicious hacker can change the logged in user’s password and invalidate the session of the victim while the hacker maintains access.

Proof of concept: (POC)

The following Vulnerability is tested on WSO2 API Manager version 2.6.0 Product.

Issue 01: Multiple reflected cross site scripting:

Picture1 Figure 01: Update the existing document information created. (here API Name is ‘reflected XSS’)

Picture2 Figure 02: Add XSS payload to the variable “docName”

Picture3 Figure 03: HTTP Response for the modified “docName” variable with XSS payload.

Picture4 Figure 04: Injected XSS payload, “> gets reflected in the browser response.

Issue 02 & 03:

Picture5 Figure 05: Injected XSS payload in variable docName, version and apiName gets reflected in the Response

Picture6 Figure 06: Injected payload gets reflected in the browser THREE times (THREE places)

Picture7 Figure 07: Page Looks after executing the injected XSS payload

Reproducing Steps

  1. Login to the application (admin/admin) through the login URL.
  2. Go to the page where an API is already created
  3. Create a document for the created API by clicking on “Add New Document” button.
  4. Created documents are listed as shown in figure 01
  5. Click on “Update” button to update document information.
  6. Add relevant information and capture the request in proxy to add XSS payload “><script>alert(document.cookie)</script>” in “docName” variable.
  7. Now, Injected XSS payload gets executed in the browser.

Note: Similarly, add XSS payload to the other vulnerable variables “version” and “apiName” which reflects in the browser.

Timeline

2019-07-05 – Discovered in WSO2 API Manager v2.6.0 2019-07-06 – Reported to intigriti platform. 2019-07-23 - Closed the issue in intigriti platform saying it as "out of scope" 2019-07-26 – Reported to security@wso2.com 2019-07-29 – Got response from WSO2 security team, "Thank you for reaching out to WSO2 Platform Security Team. We will evaluate your finding and get back to you as soon as possible with our feedback." 2019-08-05 – Got mail from WSO2 team saying, "We were able to reproduce the issue with APIM 2.6.0. We will fix this and provide you with an update." 2019-08-13 - Fixing in all affected versions 2019-09-10 - Customer Announcement is scheduled 2019-10-08 - Got mail saying, "Customer Security Announcement for the issues are scheduled by the end of September" 2019-11-04 - Customer Announcement is done. Public Announcement is done. Please refer [1] for Security Advisory

Note: Since, we have contributed on WSO2-2017-0265, WSO2-2019-0616, WSO2-2019-0633, WSO2-2019-0634, WSO2-2019-0635, WSO2-2019-0644, WSO2-2019-0645, and WSO2-2019-0647 to WSO2 team, our name already got listed in their security acknowledgment page [2]

[1] https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0646 [2] https://docs.wso2.com/display/Security/Acknowledgments

Discovered by: Sathish Kumar Balakrishnan from Cyber Security Research Lab