Earlier this year SIG identified and disclosed to WSO2 a previously unknown vulnerability (otherwise known as a 0-day) in their Identity Server product. The vulnerability is a cross-site scripting issue.
It impacts the self-registration feature of v5.10.0 of the Identity Server product. This results in the ‘tenantDomain’ parameter not being properly sanitized and encoded on output.
Overview of Cross-Site Scripting (XSS)
As defined by the Open Worldwide Application Security Project (OWASP):
‘Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user’.
https://owasp.org/www-community/attacks/xss/
To summarize, XSS attacks occur when an attacker submits input that a website does not handle properly. For example, script tags submitted are incorporated into the page structure and treated as actual code, instead of being displayed as a literal string.
Reflected XSS occurs when you can transmit this malicious input to a victim using a hyperlink (or some other type of poisoned content). Then you get them to visit the link using social engineering techniques.
When someone clicks the link, the malicious JavaScript is executed in the context of their browser. This allows an attacker to steal cookies (leading to impersonation and unauthorized access).
Other possible exploits include, a redirect to a different malicious site, or “keylog” any actions taken on that same page.
These types of attacks are usually the result of a lack of input sanitization. Malicious and/or unexpected characters are filtered from input, an no HTML encoding is performed when that untrusted input is subsequently displayed, allowing script to be loaded in an executable format.
Example/Proof-of-Concept
Curious to see if your version of WS02 is impacted? Try the link below and test it out. You can also test out the exploit on v5.10.0. Visiting this link should produce a benign pop-up in your browser that displays the message “this shouldn’t happen.”
https://sso.example.com/accountrecoveryendpoint/register.do?tenantDomain=%3C%2Fscript%3E%3Cscript%3Ealert(%22this%20shouldnt%20happen%22)%3C%2Fscript%3E%3Cscript%3EFix/Solution for Cross-Site Scripting Attacks
This issue can be fixed by updating to the latest version of WSO2 Identity Server (> 5.10.0). Or, manually by making the following change in the code:
- Find and open the following page for editing: /u01/EEI/wso2is-5.10.0/repository/deployment/server/webapps/accountrecoveryendpoint/self-registration-username-request.jsp
- Navigate to line 197 and wrap the “tenantDomain” output with a call to the “Encode.forJavaScript()” function. You should end up with the below:
- var tenantName = “<%=Encode.forJavaScript(tenantDomain) %>”;
Products Impacted
WSO2 Identity Server : 5.10.0
Disclosure Timeline
Disclosure timeline:
- Report to Vendor: January 8, 2023
- Vendor Acknowledgement: February 27, 2023
- Vendor Fix Published: May 11, 2023
Official Release Notice
Learn More
To learn more about SIG Cyber services and how we can help your higher ed institution, contact us today.
About the Author
Tom is an experienced cybersecurity professional supporting SIG’s Single Sign-On (SSO) Identity & Access Management (IAM) practices.
