Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reflected Cross Site Scripting (XSS) in WSO2 Product (WSO2 API Manager version 2.6.0) #18

Open
cybersecurityworks opened this issue Nov 27, 2019 · 0 comments

Comments

@cybersecurityworks
Copy link
Owner

Details:

WSO2 Product Bug Report
Bug Name: Cross Site Scripting (XSS)
Product Name: WSO2
Server: WSO2 API Manager Product.
Version: 2.6.0
Homepage: https://wso2.com/
Severity: Low
Status: Fixed
Exploitation Requires Authentication?: yes
Vulnerable URL: https://192.168.107.2:9443/publisher/site/blocks/documentation/ajax/docs.jag
Vulnerable Variable: docName

Description:

Cross Site Scripting (XSS) vulnerability in WSO2 API Manager Product. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged in user’s session by stealing cookies which means that the malicious hacker can change the logged in user’s password and invalidate the session of the victim while the hacker maintains access.

Proof of concept: (POC)

POST request docName variable is vulnerable to reflected cross site scripting (XSS) in the URL, https://192.168.107.2:9443/publisher/site/blocks/documentation/ajax/docs.jag

1
Figure 01: New document created in the API

2

Figure 02: Choose ‘Edit Content’ to edit document information.

3

Figure 03: Actual GET request URL

4

Figure 04: Crafted request with XSS payload, XSS<img src=x onerror=prompt(1)> gets reflected in the same browser as response.


Reproducing Steps

  1. Login to the application (admin/admin) through the login URL.
  2. Go to API ‘Docs’ section in the created API.
  3. ‘Add New document’ details and submit it.
  4. Go to ‘Edit Content’ available to edit the document details.
  5. Modify the URL variable, docName with a XSS payload, XSS<img src=x onerror=prompt(1)>
  6. Now, click on the crafted URL to execute the injected XSS payload every time.

Timeline

2019-06-21 – Discovered in WSO2 API Manager Product version 2.6.0
2019-06-21 – Reported to security@wso2.com
2019-06-21 – Got instant response from WSO2 security team, "Thanks for reporting the issue. We'll look into this and get back to you. Appreciate your continued support."
2019-07-12 - Customer Announcement - End of July, Public Announcement: End of August.
2019-08-13 - Customer Announcement is done. Public Announcement is scheduled.
2019-09-10 - Customer Announcement is done. Public Announcement is scheduled at the end of September. [postponed to September due to internal reasons]
2019-10-08 - Got mail saying, "We have scheduled a public announcement for the issue by the end of this week"
2019-11-04 - Customer Announcement is done. Public Announcement is done. Please refer [1] for Security Advisory

Note: Since, we have contributed on WSO2-2017-0265 and WSO2-2019-0616 to WSO2 team, our name already got listed in their security acknowledgment page [2]

[1] https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0633
[2] https://docs.wso2.com/display/Security/Acknowledgments


Discovered by:
Sathish Kumar Balakrishnan from Cyber Security Research Lab

@cybersecurityworks cybersecurityworks changed the title Reflected Cross Site Scripting (XSS) in WSO2 Product - WSO2 API Manager version 2.6.0 Stored Cross Site Scripting (XSS) in WSO2 Product - WSO2 Identity Server version 5.7.0 Nov 29, 2019
@cybersecurityworks cybersecurityworks changed the title Stored Cross Site Scripting (XSS) in WSO2 Product - WSO2 Identity Server version 5.7.0 Reflected Cross Site Scripting (XSS) in WSO2 Product (WSO2 API Manager version 2.6.0) Nov 29, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant