Cross-Site Scripting (XSS) vulnerability on WSO2 API Manager Product. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged-in user’s session by stealing cookies which means that a malicious hacker can change the logged-in user’s password and invalidate the session of the victim while
the hacker maintains access.
DETAILS:
Bug Name: Reflected Cross-Site Scripting (XSS)
Product Name: WSO2
Server: WSO2 API Manager
Version: 3.1.0
Homepage: https://wso2.com/
Severity: Medium
Status: Unfixed on referenced version
Exploitation Requires Authentication?: No
CVE-2020-27885
AFFECTED PRODUCTS:
WSO2 API Manager
PROOF OF CONCEPT (POC):
The following Vulnerability is tested on the WSO2 API Manager version 3.1.0 Product.
Issue 01: Reflected cross-site scripting.
-> Access the API manager portal:
-> Input the payload on client_id parameter.
The XSS vulnerability also occurs on the following parameters:
- / [client_id parameter]
- / [commonAuthCallerPath parameter]
- / [forceAuth parameter]
- / [isSaaSApp parameter]
- / [name of an arbitrarily supplied URL parameter]
- / [passiveAuth parameter]
- / [redirect_uri parameter]
- / [relyingParty parameter]
- / [response_type parameter]
- / [scope parameter]
- / [sessionDataKey parameter]
- / [sp parameter]
- / [sp parameter]
- / [state parameter]
- / [tenantDomain parameter]
- / [type parameter]
- /commonauth [authFailure parameter]
- /commonauth [authFailureMsg parameter]
- /commonauth [client_id parameter]
- /commonauth [commonAuthCallerPath parameter]
- /commonauth [forceAuth parameter]
- /commonauth [isSaaSApp parameter]
- /commonauth [name of an arbitrarily supplied URL parameter]
- /commonauth [passiveAuth parameter]
- /commonauth [redirect_uri parameter]
- /commonauth [relyingParty parameter]
- /commonauth [response_type parameter]
- /commonauth [scope parameter]
- /commonauth [sessionDataKey parameter]
- /commonauth [sp parameter]
- /commonauth [state parameter]
- /commonauth [tenantDomain parameter]
- /commonauth [type parameter]
Discovered by:
Rodrigo Favarini – MITM Labs
MITM-Cybersecurity