Cross Site Scripting (XSS) vulnerability in WSO2 API Manager Product. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged in user’s session by stealing cookies which means that the malicious hacker can change the logged in user’s password and invalidate the session of the victim while the hacker maintains access.
Go to ‘Edit Content’ available to edit the document details.
Modify the URL variable, docName with a XSS payload, XSS<img src=x onerror=prompt(1)>
Now, click on the crafted URL to execute the injected XSS payload every time.
Timeline
2019-06-21 – Discovered in WSO2 API Manager Product version 2.6.0
2019-06-21 – Reported to security@wso2.com
2019-06-21 – Got instant response from WSO2 security team, "Thanks for reporting the issue. We'll look into this and get back to you. Appreciate your continued support."
2019-07-12 - Customer Announcement - End of July, Public Announcement: End of August.
2019-08-13 - Customer Announcement is done. Public Announcement is scheduled.
2019-09-10 - Customer Announcement is done. Public Announcement is scheduled at the end of September. [postponed to September due to internal reasons]
2019-10-08 - Got mail saying, "We have scheduled a public announcement for the issue by the end of this week"
2019-11-04 - Customer Announcement is done. Public Announcement is done. Please refer [1] for Security Advisory
Note: Since, we have contributed on WSO2-2017-0265 and WSO2-2019-0616 to WSO2 team, our name already got listed in their security acknowledgment page [2]
The text was updated successfully, but these errors were encountered:
cybersecurityworks
changed the title
Reflected Cross Site Scripting (XSS) in WSO2 Product - WSO2 API Manager version 2.6.0
Stored Cross Site Scripting (XSS) in WSO2 Product - WSO2 Identity Server version 5.7.0
Nov 29, 2019
cybersecurityworks
changed the title
Stored Cross Site Scripting (XSS) in WSO2 Product - WSO2 Identity Server version 5.7.0
Reflected Cross Site Scripting (XSS) in WSO2 Product (WSO2 API Manager version 2.6.0)
Nov 29, 2019
Details:
WSO2 Product Bug Report
Bug Name: Cross Site Scripting (XSS)
Product Name: WSO2
Server: WSO2 API Manager Product.
Version: 2.6.0
Homepage: https://wso2.com/
Severity: Low
Status: Fixed
Exploitation Requires Authentication?: yes
Vulnerable URL: https://192.168.107.2:9443/publisher/site/blocks/documentation/ajax/docs.jag
Vulnerable Variable: docName
Description:
Cross Site Scripting (XSS) vulnerability in WSO2 API Manager Product. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged in user’s session by stealing cookies which means that the malicious hacker can change the logged in user’s password and invalidate the session of the victim while the hacker maintains access.
Proof of concept: (POC)
POST request
docNamevariable is vulnerable to reflected cross site scripting (XSS) in the URL, https://192.168.107.2:9443/publisher/site/blocks/documentation/ajax/docs.jagFigure 01: New document created in the API
Figure 02: Choose ‘Edit Content’ to edit document information.
Figure 03: Actual GET request URL
Figure 04: Crafted request with XSS payload,
XSS<img src=x onerror=prompt(1)>gets reflected in the same browser as response.Reproducing Steps
docNamewith a XSS payload,XSS<img src=x onerror=prompt(1)>Timeline
2019-06-21 – Discovered in WSO2 API Manager Product version 2.6.0
2019-06-21 – Reported to security@wso2.com
2019-06-21 – Got instant response from WSO2 security team, "Thanks for reporting the issue. We'll look into this and get back to you. Appreciate your continued support."
2019-07-12 - Customer Announcement - End of July, Public Announcement: End of August.
2019-08-13 - Customer Announcement is done. Public Announcement is scheduled.
2019-09-10 - Customer Announcement is done. Public Announcement is scheduled at the end of September. [postponed to September due to internal reasons]
2019-10-08 - Got mail saying, "We have scheduled a public announcement for the issue by the end of this week"
2019-11-04 - Customer Announcement is done. Public Announcement is done. Please refer [1] for Security Advisory
Note: Since, we have contributed on WSO2-2017-0265 and WSO2-2019-0616 to WSO2 team, our name already got listed in their security acknowledgment page [2]
[1] https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0633
[2] https://docs.wso2.com/display/Security/Acknowledgments
Discovered by:
Sathish Kumar Balakrishnan from Cyber Security Research Lab
The text was updated successfully, but these errors were encountered: