You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[1] WSO2 API Manager
[2] WSO2 API Manager Analytics
[3] WSO2 IS as Key Manager
[4] WSO2 Identity Server
[5] WSO2 Identity Server Analytics
Description:
Cross Site Scripting (XSS) vulnerability in WSO2 Identity Server. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged in user’s session by stealing cookies which means that the malicious hacker can change the logged in user’s password and invalidate the session of the victim while the hacker maintains access.
Create new service provider information or edit an existing Service Provider information (Here its XSS)
Select Service Provider Claim Dialect in the given list of details and click on "Add" button to see the injected XSS payload gets executed in the browser.
Timeline
2019-06-25 – Discovered in WSO2 Identity Server 5.7.0 Version
2019-06-25 – Reported to [email protected]
2019-06-25 – Got instant response from WSO2 security team, "Thanks for the latest analysis on WSO2 Identity Server. We'll do the review on this and get back to you soon."
2019-07-12 - Got mail from WSO2 team saying, "Currently, issues reported in Identity Server are under the analyzing state."
2019-08-13 - Fixing in all affected versions
2019-09-10 - Customer Announcement Done. Public Announcement is scheduled at the end of September
2019-10-08 - Got mail saying, "We have scheduled a public announcement for the issue by the end of this week"
2019-11-04 - Customer Announcement is done. Public Announcement is done. Please refer [1] for Security Advisory
Details:
WSO2 Product Bug Report
Bug Name: Stored Cross Site Scripting (XSS)
Product Name: WSO2
Server: WSO2 Identity Server
Version: 5.7.0
Homepage: https://wso2.com/
Severity: Medium
Status: Fixed
Exploitation Requires Authentication?: yes
Vulnerable URL: https://localhost:9443/carbon/identity-claim-mgt/add-dialect-finish-ajaxprocessor.jsp
Vulnerable Variable: dialect
AFFECTED PRODUCTS:
[1] WSO2 API Manager
[2] WSO2 API Manager Analytics
[3] WSO2 IS as Key Manager
[4] WSO2 Identity Server
[5] WSO2 Identity Server Analytics
Description:
Cross Site Scripting (XSS) vulnerability in WSO2 Identity Server. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged in user’s session by stealing cookies which means that the malicious hacker can change the logged in user’s password and invalidate the session of the victim while the hacker maintains access.
Proof of concept: (POC)
POST request
dialect
variable is vulnerable to stored cross site scripting (XSS) in the URL, https://localhost:9443/carbon/identity-claim-mgt/add-dialect-finish-ajaxprocessor.jspFigure 01: Adding XSS payload to
dialect
variableFigure 02: Added XSS payload,
<script>alert(document.cookie)</script>
gets storedFigure 03: Edit the service provider information
Figure 04: Select the XSS payload stored in the claims
Figure 05: Add Service Provider Claim Dialect URI by selecting the stored URI value from claims
Figure 06: Injected XSS payload gets executed in the browser after adding claims.
Reproducing Steps
dialect
variable.XSS
)Timeline
2019-06-25 – Discovered in WSO2 Identity Server 5.7.0 Version
2019-06-25 – Reported to [email protected]
2019-06-25 – Got instant response from WSO2 security team, "Thanks for the latest analysis on WSO2 Identity Server. We'll do the review on this and get back to you soon."
2019-07-12 - Got mail from WSO2 team saying, "Currently, issues reported in Identity Server are under the analyzing state."
2019-08-13 - Fixing in all affected versions
2019-09-10 - Customer Announcement Done. Public Announcement is scheduled at the end of September
2019-10-08 - Got mail saying, "We have scheduled a public announcement for the issue by the end of this week"
2019-11-04 - Customer Announcement is done. Public Announcement is done. Please refer [1] for Security Advisory
Note: Since, we have contributed on WSO2-2017-0265, WSO2-2019-0616 and WSO2-2019-0633 to WSO2 team, our name already got listed in their security acknowledgment page [2]
[1] https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0634
[2] https://docs.wso2.com/display/Security/Acknowledgments
Discovered by:
Sathish Kumar Balakrishnan from Cyber Security Research Lab
The text was updated successfully, but these errors were encountered: