Securin Zero-Days

CVE-2020-14445 – Stored Cross-Site Scripting in WSO2 Product 

Severity:Medium

Vendor

WSO2

Affected Product

WSO2 IS as Key Manager 5.9.0 or earlier, WSO2 Identity Server 5.9.0 or earlier

CVE

CVE-2020-14445

Securin ID

2020-CSW-05-1043

Status

Fixed

Date

February 10, 2020

Description

A cross-site scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user’s browser while the browser is connected to a trusted web site. The application targets your users and not the application itself, but it uses your application as the vehicle for the attack. XSS payload is executed when the user loads a page created in WSO2 Identity Server version 5.9.0 Product.

Proof of Concept (POC):

The following vulnerability was tested on WSO2 Identity Server version 5.9.0 Product.

Issue 01: Stored cross-site scripting.

Figure 01: Navigating to the Policy Administration and Clicking the Add New Entitlement Policy Link.

Figure 02: Clicking on Basic Policy Editor will redirect to the URL.

Figure 03: Fill the necessary details and Move to the Define Entitlement Rules section.

Figure 04: Intercepting the request, and ‘RuleID’ variable is added with XSS Payload.

Figure 05: Inserted payload gets stored and executed whenever the user visits the page.

Figure 06: Stored XSS payload in the source code

Impact

By leveraging an XSS attack, an attacker can make the browser get redirected to a malicious website, make changes in the UI of the web page, retrieve information from the browser or harm otherwise. However, since all the session related sensitive cookies are set with httpOnly flag and protected, session hijacking or similar attacks would not be possible.

Remediations

Apply the relevant fixes based on the changes from the public fix using the following link:

https://github.com/wso2/carbon-identity-framework/pull/2794

Timeline

Jan 31, 2020: Discovered in WSO2 Identity Server Manager version 5.9.0.

Feb 04, 2020: CSW Internal Review.

Feb 10, 2020: Reported to the WSO2 security team.

May 13, 2020: Published to the public.

Let Securin level up your security posture!