Stored Cross Site Scripting (XSS) in "malicious dialect URI" on WSO2 Product - (WSO2 Identity Server version 5.7.0)

[cybersecurityworks]

Details:

WSO2 Product Bug Report
Bug Name: Stored Cross Site Scripting (XSS)
Product Name: WSO2
Server: WSO2 Identity Server
Version: 5.7.0
Homepage: https://wso2.com/
Severity: Medium
Status: Fixed
Exploitation Requires Authentication?: yes

AFFECTED PRODUCTS:

[1] WSO2 API Manager
[2] WSO2 IS as Key Manager
[3] WSO2 Identity Server

Description:

Cross Site Scripting (XSS) vulnerability in WSO2 API Manager Product. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged in user’s session by stealing cookies which means that the malicious hacker can change the logged in user’s password and invalidate the session of the victim while the hacker maintains access.

Proof of concept: (POC)

Figure 01: Adding Identity providers information

Figure 02: Added XSS payload, XSS”><script>alert(document.cookie)</script> in Basic Claim Configuration gets stored

Figure 03: Above added Custom Claim Dialect value gets stored and added to select drop down box of “Advanced Claim Configuration”

Figure 04: Clicking on Add Claim executes the stored XSS Payload

Figure 05: Clicking on Add claim button will keep adding the XSS Payload to the page.

---

Reproducing Steps

1. Login to the Application
2. Go to URL.
3. Adding identity provider information
4. Click on Claim Configuration
5. Navigate through Basic Claim Configuration
6. Choose Define Custom Claim Dialect and Add Claim Mapping with XSS Payload (like, XSS"><script>alert(document.cookie)</script>)
7. Then, Navigate to Advanced Claim Configuration
8. Select Claim URI from Provisioning Claim Filter section.
9. Clicking on Add claim button reflects the stored XSS payload in the browser.
10. Similarly, the stored XSS payload gets reflected in the browser every time when the user clicks on “Add claim” button.

---

Timeline

2019-06-29 – Discovered in WSO2 Identity Server v5.7.0.
2019-06-29 – Reported to security@wso2.com
2019-06-29 – Got instant response from WSO2 security team, "Thanks for your analysis report. I will forward this to respective product team and they will get back to you with the feedback ASAP."
2019-07-01 – Got response from WSO2 security team, "Thank you for reporting this issue. We were able to reproduce it, and now further analyzing on solving this. We will keep you posted."
2019-07-12 - Got mail from WSO2 team saying, "Currently, issues reported in Identity Server are under the analyzing state."
2019-08-13 - Fixing in all affected versions
2019-09-10 - Customer Announcement is done. Public Announcement is scheduled at the end of September.
2019-10-08 - Got mail saying, "We have scheduled a public announcement for the issue by the end of this week"
2019-11-04 - Customer Announcement is done. Public Announcement is done. Please refer [1] for Security Advisory

Note: Since, we have contributed on WSO2-2017-0265, WSO2-2019-0616, WSO2-2019-0633 and WSO2-2019-0634 to WSO2 team, our name already got listed in their security acknowledgment page [2]

[1] https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0635
[2] https://docs.wso2.com/display/Security/Acknowledgments

---

Discovered by:
Sathish Kumar Balakrishnan from Cyber Security Research Lab