Multiple XSS on API Manager 3.1.0

Posted by

Cross-Site Scripting (XSS) vulnerability on WSO2 API Manager Product. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged-in user’s session by stealing cookies which means that a malicious hacker can change the logged-in user’s password and invalidate the session of the victim while
the hacker maintains access.

DETAILS:

Bug Name: Reflected Cross-Site Scripting (XSS)
Product Name: WSO2
Server: WSO2 API Manager
Version: 3.1.0
Homepage: https://wso2.com/
Severity: Medium
Status: Unfixed on referenced version
Exploitation Requires Authentication?: No
CVE-2020-27885 

AFFECTED PRODUCTS:
WSO2 API Manager

PROOF OF CONCEPT (POC):
The following Vulnerability is tested on the WSO2 API Manager version 3.1.0 Product.

Issue 01: Reflected cross-site scripting.
-> Access the API manager portal:

-> Input the payload on client_id parameter.

The XSS vulnerability also occurs on the following parameters:

  • / [client_id parameter]
  • / [commonAuthCallerPath parameter]
  • / [forceAuth parameter]
  • / [isSaaSApp parameter]
  • / [name of an arbitrarily supplied URL parameter]
  • / [passiveAuth parameter]
  • / [redirect_uri parameter]
  • / [relyingParty parameter]
  • / [response_type parameter]
  • / [scope parameter]
  • / [sessionDataKey parameter]
  • / [sp parameter]
  • / [sp parameter]
  • / [state parameter]
  • / [tenantDomain parameter]
  • / [type parameter]
  • /commonauth [authFailure parameter]
  • /commonauth [authFailureMsg parameter]
  • /commonauth [client_id parameter]
  • /commonauth [commonAuthCallerPath parameter]
  • /commonauth [forceAuth parameter]
  • /commonauth [isSaaSApp parameter]
  • /commonauth [name of an arbitrarily supplied URL parameter]
  • /commonauth [passiveAuth parameter]
  • /commonauth [redirect_uri parameter]
  • /commonauth [relyingParty parameter]
  • /commonauth [response_type parameter]
  • /commonauth [scope parameter]
  • /commonauth [sessionDataKey parameter]
  • /commonauth [sp parameter]
  • /commonauth [state parameter]
  • /commonauth [tenantDomain parameter]
  • /commonauth [type parameter]

Discovered by:
Rodrigo Favarini – MITM Labs
MITM-Cybersecurity