You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Stored Cross Site Scripting (XSS) in ' HTTP POST request with a harmful request parameter for context' | WSO2 API Manager version 2.6.0 | WSO2 Product
#23
Cross Site Scripting (XSS) vulnerability in WSO2 API Manager Product. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged in user’s session by stealing cookies which means that the malicious hacker can change the logged in user’s password and invalidate the session of the victim while the hacker maintains access.
Proof of concept: (POC)
The following Vulnerability is tested on WSO2 API Manager version 2.6.0 Product.
Issue 01: Stored cross site scripting:
Figure 01: Design an API with valid values in the required fields of the page
Figure 02: Click on “Next Implement” after completing the forms with valid information
Figure 03: valid HTTP Request captured in the proxy with filled information
Figure 04: ‘Context’ variable is added with XSS Payload, “><script>alert(document.cookie)</script>
Figure 05: Submitted the API details to the server with XSS payload
Figure 06: XSS Payload gets stored and reflects whenever the user views the page.
Fill all the required information and click on “Next: Implement”
Capture the HTTP request in the proxy and add XSS payload “XSS”><script>alert(document.cookie)</script>” to the “context” variable
Deploy the prototype with added XSS payload
Injected XSS payload gets reflected whenever the user visits or reloads the page.
Timeline
2019-07-05 – Discovered in WSO2 API Manager v2.6.0
2019-07-06 – Reported to intigriti platform.
2019-07-23 - Closed the issue in intigriti platform saying it as "out of scope"
2019-07-26 – Reported to [email protected]
2019-07-26 – Got instant response from WSO2 security team, "Thanks for sending new issues. Let us evaluate them and get back to you with the results."
2019-08-05 – Got mail from WSO2 team saying, "We were able to reproduce the issue with APIM 2.6.0. We will fix this and provide you with an update."
2019-08-13 - Fixing in all affected versions
2019-09-10 - Customer Announcement is scheduled
2019-10-08 - Got mail saying, "Customer Security Announcement for the issues are scheduled by the end of September"
2019-11-04 - Customer Announcement is done. Public Announcement is done. Please refer [1] for Security Advisory
Details:
WSO2 Product Bug Report
Bug Name: Stored Cross Site Scripting (XSS)
Product Name: WSO2
Server: WSO2 API Manager
Version: 2.6.0
Homepage: https://wso2.com/
Severity: Medium
Status: Fixed
Exploitation Requires Authentication?: yes
AFFECTED PRODUCTS:
[1] WSO2 API Manager
Description:
Cross Site Scripting (XSS) vulnerability in WSO2 API Manager Product. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged in user’s session by stealing cookies which means that the malicious hacker can change the logged in user’s password and invalidate the session of the victim while the hacker maintains access.
Proof of concept: (POC)
The following Vulnerability is tested on WSO2 API Manager version 2.6.0 Product.
Issue 01: Stored cross site scripting:
Figure 01: Design an API with valid values in the required fields of the page
Figure 02: Click on “Next Implement” after completing the forms with valid information
Figure 03: valid HTTP Request captured in the proxy with filled information
Figure 04: ‘Context’ variable is added with XSS Payload, “><script>alert(document.cookie)</script>
Figure 05: Submitted the API details to the server with XSS payload
Figure 06: XSS Payload gets stored and reflects whenever the user views the page.
Figure 07: Stored XSS payload in the source code
Reproducing Steps
Timeline
2019-07-05 – Discovered in
WSO2 API Manager v2.6.0
2019-07-06 – Reported to intigriti platform.
2019-07-23 - Closed the issue in intigriti platform saying it as "out of scope"
2019-07-26 – Reported to [email protected]
2019-07-26 – Got instant response from WSO2 security team, "Thanks for sending new issues. Let us evaluate them and get back to you with the results."
2019-08-05 – Got mail from WSO2 team saying, "We were able to reproduce the issue with APIM 2.6.0. We will fix this and provide you with an update."
2019-08-13 - Fixing in all affected versions
2019-09-10 - Customer Announcement is scheduled
2019-10-08 - Got mail saying, "Customer Security Announcement for the issues are scheduled by the end of September"
2019-11-04 - Customer Announcement is done. Public Announcement is done. Please refer [1] for Security Advisory
Note: Since, we have contributed on WSO2-2017-0265, WSO2-2019-0616, WSO2-2019-0633, WSO2-2019-0634, WSO2-2019-0635, WSO2-2019-0644 and WSO2-2019-0645 to WSO2 team, our name already got listed in their security acknowledgment page [2]
[1] https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0647
[2] https://docs.wso2.com/display/Security/Acknowledgments
Discovered by:
Sathish Kumar Balakrishnan from Cyber Security Research Lab
The text was updated successfully, but these errors were encountered: