[1] WSO2 API Manager
[2] WSO2 API Manager Analytics
[3] WSO2 IS as Key Manager
[4] WSO2 IS as Key Manager
[5] WSO2 Identity Server
[6] WSO2 Identity Server Analytics
Description:
Cross Site Scripting (XSS) vulnerability in WSO2 API Manager Product. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged in user’s session by stealing cookies which means that the malicious hacker can change the logged in user’s password and invalidate the session of the victim while the hacker maintains access.
Proof of concept: (POC)
The following Vulnerability is tested on WSO2 Identity Server version 5.7.0 Product.
Issue 01: Stored cross site scripting:
Figure 01: Choose “Browse” from the Registry option
Figure 02: Select any on ‘Role’ and add “Permission” from “Permission section in the same page.
Figure 03: Capture the POST request in burp suite proxy and add XSS payload, “><img src=x onerror=prompt(1)> to “roleToAuthorize” variable
Figure 04: Injected XSS Payload gets stored and executed in the browser
Figure 05: The stored XSS payload gets executed whenever the user loads the page
Select any on ‘Role’ and add “Permission” from “Permission section in the same page.
Capture the POST request in burp suite proxy and add XSS payload, “><img src=x onerror=prompt(1)> to “roleToAuthorize” variable
Now the injected XSS payload gets stored and executes whenever the user loads the page.
Timeline
2019-07-02 – Discovered in WSO2 Identity Server 5.7.0 Version
2019-07-02 – Reported to security@wso2.com
2019-07-02 – Got instant response from WSO2 security team, "Thanks for your analysis report. We will evaluate your finding and get back to you soon with our feedback."
2019-08-13 - Fixing in all affected versions
2019-09-10 - Customer Announcement Done. Public Announcement is scheduled at the end of September
2019-10-08 - Got mail saying, "We have scheduled a public announcement for the issue by the end of this week"
2019-11-04 - Got mail saying, "Customer Announcement is done. Public Announcement is scheduled at end of November"
2019-12-03 - Got mail saying, "We have done the public announcement for the remaining two issues. Kindly note that we have aggregated the following two issues."
2019-12-03 - Got mail saying, "... stored XSS issues [Document No: 1050 & Document No: 1051] were reported in registry UI. After analyzing the impact, CVSS Score and fix for the above two issues, we decided to deliver the fix with the same advisory id and patch since the issues could be fixed in the same component. ..."
Details:
WSO2 Product Bug Report
Bug Name: Stored Cross Site Scripting (XSS)
Product Name: WSO2
Server: WSO2 Identity Server
Version: 5.7.0
Homepage: https://wso2.com/
Severity: Low
Status: Fixed
Exploitation Requires Authentication?: yes
Vulnerable URL: https://localhost:9444/carbon/resources/add_role_permission_ajaxprocessor.jsp
Vulnerable Variable: roleToAuthorize
AFFECTED PRODUCTS:
[1] WSO2 API Manager
[2] WSO2 API Manager Analytics
[3] WSO2 IS as Key Manager
[4] WSO2 IS as Key Manager
[5] WSO2 Identity Server
[6] WSO2 Identity Server Analytics
Description:
Cross Site Scripting (XSS) vulnerability in WSO2 API Manager Product. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged in user’s session by stealing cookies which means that the malicious hacker can change the logged in user’s password and invalidate the session of the victim while the hacker maintains access.
Proof of concept: (POC)
The following Vulnerability is tested on WSO2 Identity Server version 5.7.0 Product.
Issue 01: Stored cross site scripting:
Figure 01: Choose “Browse” from the Registry option
Figure 02: Select any on
‘Role’and add “Permission” from “Permission section in the same page.Figure 03: Capture the POST request in burp suite proxy and add XSS payload,
“><img src=x onerror=prompt(1)>to“roleToAuthorize”variableFigure 04: Injected XSS Payload gets stored and executed in the browser
Figure 05: The stored XSS payload gets executed whenever the user loads the page
Reproducing Steps
“><img src=x onerror=prompt(1)>to“roleToAuthorize”variableTimeline
2019-07-02 – Discovered in
WSO2 Identity Server 5.7.0Version2019-07-02 – Reported to security@wso2.com
2019-07-02 – Got instant response from WSO2 security team, "Thanks for your analysis report. We will evaluate your finding and get back to you soon with our feedback."
2019-08-13 - Fixing in all affected versions
2019-09-10 - Customer Announcement Done. Public Announcement is scheduled at the end of September
2019-10-08 - Got mail saying, "We have scheduled a public announcement for the issue by the end of this week"
2019-11-04 - Got mail saying, "Customer Announcement is done. Public Announcement is scheduled at end of November"
2019-12-03 - Got mail saying, "We have done the public announcement for the remaining two issues. Kindly note that we have aggregated the following two issues."
2019-12-03 - Got mail saying, "... stored XSS issues [Document No: 1050 & Document No: 1051] were reported in registry UI. After analyzing the impact, CVSS Score and fix for the above two issues, we decided to deliver the fix with the same advisory id and patch since the issues could be fixed in the same component. ..."
Please refer [1] for Security Advisory
Note: Since, we have contributed on WSO2-2017-0265, WSO2-2019-0616, WSO2-2019-0633, WSO2-2019-0634, WSO2-2019-0635, WSO2-2019-0644, WSO2-2019-0645, WSO2-2019-0647 and WSO2-2019-0646 to WSO2 team, our name already got listed in their security acknowledgment page [2]
[1] https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0636
[2] https://docs.wso2.com/display/Security/Acknowledgments
Discovered by:
Sathish Kumar Balakrishnan from Cyber Security Research Lab
The text was updated successfully, but these errors were encountered: