Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Stored XSS on "MIB Compiler"

Description

Overview

A web application may require fields for user input in its regular operation. If the application does not validate this user input, an attacker could use it to inject a malicious payload that the server processes. Cross-Site Scripting (XSS) is an injection vulnerability where an attacker provides malicious JavaScript into the web application. XSS attacks occur when an attacker sends malicious code to victim users, such as through phishing or other social engineering attacks.

Using XSS, an attacker could bypass authentication mechanisms, steal session information, and perform session-related attacks like session hijacking and session fixation, and even cause malicious code execution. XSS often leverages weaknesses in a web browser, in which the browser does not know whether the malicious JavaScript or payload can be trusted.

There are multiple types of XSS vulnerabilities:

  • *Stored or Persistent or Type 1*: Stored XSS occurs when an attacker can store the XSS payload in the web server or database and the exploitation affects not one but many users of the application.

  • *Reflected or Type 2*: In Reflected XSS, the application reflects or executes the payload immediately after the user submits it. In certain cases, a Reflected XSS payload may not even leave the browser.

  • *Self XSS*: A Self XSS attack occurs when a user enters a crafted XSS link into their browser, and that link includes an XSS payload that the user’s browser executes. The link could come from an attacker during a phishing or similar attack. Unlike Stored or Reflected XSS, Self XSS payloads come from user input, rather than being stored on or reflected from the server.

  • *Document Object Model (DOM) XSS or Type 0*: DOM-based XSS is an advanced type of XSS attack that affects the DOM environment. In a DOM-based XSS attack, the attacker can place a payload execution in the DOM environment or the browser itself. When an application writes the user-supplied input to the DOM environment, it then reads or processes the payload from there and executes it in the browser.

*Note*: For more information on DOM-based XSS, see the [OWASP Cheat Sheet for DOM XSS](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html)

During the tests, while uploading a MIB file, harmful *JavaScript* codes were injected into `filename` parameter and it was determined that these *JavaScript* codes were triggered when the MIB file was compiled/deleted later, causing *Stored XSS*.

Browser URL

https://pentest24.eastus.cloudapp.azure.com/opennms/mib-compiler/APP/UPLOAD/3/180/action/79610936-b6ec-445b-a42d-bdb3791c5250

Steps To Reproduce

1-) Login to application and navigate to https://pentest24.eastus.cloudapp.azure.com/opennms/admin/mibCompiler.jsp URL.
2-) Click the *Upload MIB* button and select a file to upload.

![admin_mib_compiler.png](https://api.us.cobalt.io/v1/attachments/att_0lXy40y/preview)

3-) Intercept the request by a proxy tool (*Burp Suite*) and insert the following payload into `filename` parameter, then send the request:
```
cobalt-file-upload-test%22'><img src=x onerror=alert(location)>%22.html
```

![admin_mib_compiler_upload.png](https://api.us.cobalt.io/v1/attachments/att_Sfu5HTm/preview)

4-) When the file upload process is completed, you can see that the *JavaScript* codes placed in the file name are triggered in the *MIB Console* area on the page.

![admin_mib_compiler_XSS.png](https://api.us.cobalt.io/v1/attachments/att_qZyxlMe/preview)

5-) Similarly, you can perform a compile/delete operation by selecting the uploaded file and see that the *JavaScript* codes are triggered in the console area again.

![admin_mib_compiler_edit_delete.png](https://api.us.cobalt.io/v1/attachments/att_AVzgkCJ/preview)

![admin_mib_compiler_edit_delete_XSS.png](https://api.us.cobalt.io/v1/attachments/att_ExfxOs9/preview)

Severity

medium

An attacker who exploits a cross-site scripting vulnerability is typically able to:

  • Impersonate or masquerade as the victim user.

  • Carry out any action that the user is able to perform.

  • Read any data that the user is able to access.

  • Capture the user's login credentials.

  • Perform virtual defacement of the web site.

  • Inject trojan functionality into the web site.

Suggested Fix

  • Require strong input validation. Do not accept untrusted input or HTML content in your application unless required. If needed, perform HTML encoding.

  • Always perform output encoding. Do not render or process input as it is. Perform encoding, escaping, or any technique to break the structure of a malicious payload so it is not rendered.

  • Use libraries and software components, such as the [OWASP ESAPI](https://owasp.org/www-project-enterprise-security-api/), which provide reusable software components for input validation, escaping, and more.

  • Turn off support for HTTP `TRACE` on all web servers.
    Set cookies with the `HttpOnly` flag.

  • Use updated JavaScript and Bootstrap libraries.

  • Use a securely configured `Content-Security-Policy` (CSP) HTTP header.

  1.  

    1.  

      1. References
        [OWASP on XSS Attacks](https://owasp.org/www-community/attacks/xss/)
        [OWASP on Types of XSS](https://owasp.org/www-community/Types_of_Cross-Site_Scripting#)
        [Portswigger on XSS](https://portswigger.net/web-security/cross-site-scripting)
        [OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)

Prerequisites

A valid user account with permission to upload *MIB* file is required.

HTTP Request

POST /opennms/mib-compiler/APP/UPLOAD/3/180/action/79610936-b6ec-445b-a42d-bdb3791c5250 HTTP/1.1

Host: pentest24.eastus.cloudapp.azure.com
Cookie: use_requisitions_node_vertical_layout=false; JSESSIONID=node0kpnbfsmhc4g81fmwk50tcyu3u182691.node0; JSESSIONID=node012qy0df4ys2nonaypt1l3dy9b51193.node0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------379923581824218266621641984178
Content-Length: 313
Origin: null
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

-----------------------------379923581824218266621641984178
Content-Disposition: form-data; name="180_file"; filename="cobalt-file-upload-test%22'><img src=x onerror=alert(location)>%22.html"
Content-Type: text/html

<script>alert(1)</script>

----------------------------379923581824218266621641984178-

Cobalt URL

#PT22584_9

Acceptance / Success Criteria

None

Attachments

5

Activity

Show:

Christian Pape July 5, 2024 at 9:30 AM

Merged.

Christian Pape July 2, 2024 at 7:24 AM

Fixed

Details

Assignee

Reporter

Labels

Sprint

Fix versions

Priority

Parent

PagerDuty

Created June 13, 2024 at 6:31 PM
Updated July 8, 2024 at 4:41 PM
Resolved July 5, 2024 at 9:30 AM