Ping Identity Agentless Integration Kit Reflected Cross-site Scripting (XSS)
Vulnerability Overview
Ping Identity Agentless Integration Kit before 1.5 is susceptible to
Reflected Cross-site Scripting at the /as/authorization.oauth2
endpoint due to improper encoding of an arbitrarily submitted HTTP
GET parameter name.
- Identifier : SBA-ADV-20190305-01
- Type of Vulnerability : Cross-site Scripting
- Software/Product Name : Ping Identity Agentless Integration Kit
- Vendor : Ping Identity
- Affected Versions : < 1.5
- Fixed in Version : 1.5
- CVE ID : CVE-2019-13564
- CVSSv3 Vector : AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- CVSSv3 Base Score : 6.1 (Medium)
Vendor Description
After authenticating the user (via a federated security token or authentication adapter), the user will be presented to the protected application via an SP adapter. This adapter provides the last-mile connection between the federation server (PingFederate) and the application, the user will be presented to the application which can then create a session and render the application for the authenticated user.
Impact
By exploiting the documented vulnerability, an attacker can execute JavaScript code in a victim's browser within the origin of the target site. This can be misused, for example, for phishing attacks by displaying a fake login form in the context of the trusted site via JavaScript and then sending the victim's credentials to the attacker.
Vulnerability Description
The /as/authorization.oauth2 endpoint of PingFederate takes several
HTTP GET parameter name-value pairs, which are subsequently rendered
as an HTML form with hidden input fields.
https://idp.example.com/as/authorization.oauth2?response_type=code&client_id=CLIENT&redirect_uri=https%3A%2F%2Fapp.example.com%2Fcb
The name of the HTTP parameter is rendered as the name attribute of
the corresponding input field, and the HTTP parameter value is rendered
as the value attribute. The content of the value attribute is HTML-
encoded and therefore not susceptible to XSS. However, the content of
the name attribute is written to the HTML document without any
encoding or sanitization.
Proof of Concept
An attacker can exploit this vulnerability by ending the HTML attribute
and element and then inserting, for example, a script tag.
https://idp.example.com/as/authorization.oauth2?response_type=code&client_id=CLIENT&redirect_uri=https%3A%2F%2Fapp.example.com%2Fcb&%22%3E%3Cscript%3Ealert(1)%3C%2fscript%3E
The last parameter reads as follows when URL-decoded:
"><script>alert(1)</script>This leads to the following HTML response (shortened for readability):
<form method="post" action="[...]">
<input type="hidden" name="REF" value="[...]"/>
<!-- ... -->
<input type="hidden" name=""><script>alert(1)</script>" value=""/>
<!-- ... -->
</form>Recommended Countermeasures
We recommend to HTML-encode the parameter name the same way the parameter value is encoded.
Timeline
2019-03-05Identified the vulnerability in version < 1.52019-03-25Contacted the vendor via support2019-05-24Finding review with Ping Identity and SBA Research2019-07-11Publication of CVE-2019-13564
References
Credits
- Thomas Konrad (SBA Research)