Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored Cross Site Scripting (XSS) in ' HTTP POST request with a harmful request parameter for context' | WSO2 API Manager version 2.6.0 | WSO2 Product #23

Open
cybersecurityworks opened this issue Jan 20, 2020 · 0 comments

Comments

@cybersecurityworks
Copy link
Owner

cybersecurityworks commented Jan 20, 2020

Details:

WSO2 Product Bug Report
Bug Name: Stored Cross Site Scripting (XSS)
Product Name: WSO2
Server: WSO2 API Manager
Version: 2.6.0
Homepage: https://wso2.com/
Severity: Medium
Status: Fixed
Exploitation Requires Authentication?: yes

AFFECTED PRODUCTS:

[1] WSO2 API Manager

Description:

Cross Site Scripting (XSS) vulnerability in WSO2 API Manager Product. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged in user’s session by stealing cookies which means that the malicious hacker can change the logged in user’s password and invalidate the session of the victim while the hacker maintains access.

Proof of concept: (POC)

The following Vulnerability is tested on WSO2 API Manager version 2.6.0 Product.
Issue 01: Stored cross site scripting:

Picture1
Figure 01: Design an API with valid values in the required fields of the page

Picture2
Figure 02: Click on “Next Implement” after completing the forms with valid information

Picture3
Figure 03: valid HTTP Request captured in the proxy with filled information

Picture4
Figure 04: ‘Context’ variable is added with XSS Payload, “><script>alert(document.cookie)</script>

Picture5
Figure 05: Submitted the API details to the server with XSS payload

Picture6
Figure 06: XSS Payload gets stored and reflects whenever the user views the page.

Picture7
Figure 07: Stored XSS payload in the source code


Reproducing Steps

  1. Login to the Application.
  2. Go to the URL for creating an API.
  3. Fill all the required information and click on “Next: Implement”
  4. Capture the HTTP request in the proxy and add XSS payload “XSS”><script>alert(document.cookie)</script>” to the “context” variable
  5. Deploy the prototype with added XSS payload
  6. Injected XSS payload gets reflected whenever the user visits or reloads the page.

Timeline

2019-07-05 – Discovered in WSO2 API Manager v2.6.0
2019-07-06 – Reported to intigriti platform.
2019-07-23 - Closed the issue in intigriti platform saying it as "out of scope"
2019-07-26 – Reported to [email protected]
2019-07-26 – Got instant response from WSO2 security team, "Thanks for sending new issues. Let us evaluate them and get back to you with the results."
2019-08-05 – Got mail from WSO2 team saying, "We were able to reproduce the issue with APIM 2.6.0. We will fix this and provide you with an update."
2019-08-13 - Fixing in all affected versions
2019-09-10 - Customer Announcement is scheduled
2019-10-08 - Got mail saying, "Customer Security Announcement for the issues are scheduled by the end of September"
2019-11-04 - Customer Announcement is done. Public Announcement is done. Please refer [1] for Security Advisory

Note: Since, we have contributed on WSO2-2017-0265, WSO2-2019-0616, WSO2-2019-0633, WSO2-2019-0634, WSO2-2019-0635, WSO2-2019-0644 and WSO2-2019-0645 to WSO2 team, our name already got listed in their security acknowledgment page [2]

[1] https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0647
[2] https://docs.wso2.com/display/Security/Acknowledgments


Discovered by:
Sathish Kumar Balakrishnan from Cyber Security Research Lab

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant