Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Stored XSS on "Scheduled Outages"

Description

Overview

A web application may require fields for user input in its regular operation. If the application does not validate this user input, an attacker could use it to inject a malicious payload that the server processes. Cross-Site Scripting (XSS) is an injection vulnerability where an attacker provides malicious JavaScript into the web application. XSS attacks occur when an attacker sends malicious code to victim users, such as through phishing or other social engineering attacks.

Using XSS, an attacker could bypass authentication mechanisms, steal session information, and perform session-related attacks like session hijacking and session fixation, and even cause malicious code execution. XSS often leverages weaknesses in a web browser, in which the browser does not know whether the malicious JavaScript or payload can be trusted.

There are multiple types of XSS vulnerabilities:

  • *Stored or Persistent or Type 1*: Stored XSS occurs when an attacker can store the XSS payload in the web server or database and the exploitation affects not one but many users of the application.

  • *Reflected or Type 2*: In Reflected XSS, the application reflects or executes the payload immediately after the user submits it. In certain cases, a Reflected XSS payload may not even leave the browser.

  • *Self XSS*: A Self XSS attack occurs when a user enters a crafted XSS link into their browser, and that link includes an XSS payload that the user’s browser executes. The link could come from an attacker during a phishing or similar attack. Unlike Stored or Reflected XSS, Self XSS payloads come from user input, rather than being stored on or reflected from the server.

  • *Document Object Model (DOM) XSS or Type 0*: DOM-based XSS is an advanced type of XSS attack that affects the DOM environment. In a DOM-based XSS attack, the attacker can place a payload execution in the DOM environment or the browser itself. When an application writes the user-supplied input to the DOM environment, it then reads or processes the payload from there and executes it in the browser.

*Note*: For more information on DOM-based XSS, see the [OWASP Cheat Sheet for DOM XSS](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html)

During the tests, while creating a new scheduled outage, harmful *JavaScript* codes were injected into the `Name` field and it was determined that these *JavaScript* codes were triggered when the scheduled outage was displayed later, causing *Stored XSS*.

Browser URL

https://pentest24.eastus.cloudapp.azure.com/opennms/admin/sched-outages/editoutage.jsp

Steps To Reproduce

1-) Login to application and navigate to https://pentest24.eastus.cloudapp.azure.com/opennms/admin/sched-outages/index.jsp URL.
2-) Insert the following payload into *Name* field, then click to *Plus `+`* button:
```
cobalt'"><img src=x onerror=prompt(location)>
```

![admin_sched_outages.png](https://api.us.cobalt.io/v1/attachments/att_LDhITrk/preview)

3-) Fill all the required information to create a scheduled outage and then click to *Save* button:

![admin_sched_outages_edit.png](https://api.us.cobalt.io/v1/attachments/att_OroAscS/preview)

![admin_sched_outages_edit_2.png](https://api.us.cobalt.io/v1/attachments/att_XiWqdYi/preview)

3-) After completing the scheduled outage creation, navigate to the https://pentest24.eastus.cloudapp.azure.com/opennms/admin/sched-outages/index.jsp URL.

  • When the page is reloaded, you can see that the *JavaScript* codes inserted into the `Name` field are triggered.

![admin_sched_outages_XSS.png](https://api.us.cobalt.io/v1/attachments/att_WIMLYZ3/preview)

Severity

medium

An attacker who exploits a cross-site scripting vulnerability is typically able to:

  • Impersonate or masquerade as the victim user.

  • Carry out any action that the user is able to perform.

  • Read any data that the user is able to access.

  • Capture the user's login credentials.

  • Perform virtual defacement of the web site.

  • Inject trojan functionality into the web site.

Suggested Fix

  • Require strong input validation. Do not accept untrusted input or HTML content in your application unless required. If needed, perform HTML encoding.

  • Always perform output encoding. Do not render or process input as it is. Perform encoding, escaping, or any technique to break the structure of a malicious payload so it is not rendered.

  • Use libraries and software components, such as the [OWASP ESAPI](https://owasp.org/www-project-enterprise-security-api/), which provide reusable software components for input validation, escaping, and more.

  • Turn off support for HTTP `TRACE` on all web servers.
    Set cookies with the `HttpOnly` flag.

  • Use updated JavaScript and Bootstrap libraries.

  • Use a securely configured `Content-Security-Policy` (CSP) HTTP header.

  1.  

    1.  

      1. References
        [OWASP on XSS Attacks](https://owasp.org/www-community/attacks/xss/)
        [OWASP on Types of XSS](https://owasp.org/www-community/Types_of_Cross-Site_Scripting#)
        [Portswigger on XSS](https://portswigger.net/web-security/cross-site-scripting)
        [OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)

Prerequisites

A valid user account with permission to create scheduled outage is required.

HTTP Request

POST /opennms/admin/sched-outages/editoutage.jsp HTTP/1.1

Host: pentest24.eastus.cloudapp.azure.com
Cookie: use_requisitions_node_vertical_layout=false; JSESSIONID=node0121q7pt9fp8ln16kwm9hb6zs02150311.node0; JSESSIONID=node012qy0df4ys2nonaypt1l3dy9b51193.node0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 411
Origin: null
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

_csrf=1b044fe5-6fcb-4dec-819a-f01a661f9adc&formSubmission=true&deleteOutageType=false&outageType=specific&chooseDayOfMonth=1&chooseDayOfWeek=sunday&chooseStartDay=26&chooseStartMonth=Apr&chooseStartYear=2024&chooseStartHour=00&chooseStartMinute=00&chooseStartSecond=00&chooseFinishDay=26&chooseFinishMonth=Apr&chooseFinishYear=2024&chooseFinishHour=23&chooseFinishMinute=59&chooseFinishSecond=59&saveButton=Save

Cobalt URL

#PT22584_8

Acceptance / Success Criteria

None

Attachments

4

Activity

Show:

Christian Pape July 5, 2024 at 9:31 AM

Merged.

Christian Pape July 2, 2024 at 11:31 AM

Fixed

Details

Assignee

Reporter

Labels

Sprint

Fix versions

Priority

Parent

PagerDuty

Created June 13, 2024 at 6:31 PM
Updated July 8, 2024 at 4:38 PM
Resolved July 5, 2024 at 9:31 AM