Overview

A web application may require fields for user input in its regular operation. If the application does not validate this user input, an attacker could use it to inject a malicious payload that the server processes. Cross-Site Scripting (XSS) is an injection vulnerability where an attacker provides malicious JavaScript into the web application. XSS attacks occur when an attacker sends malicious code to victim users, such as through phishing or other social engineering attacks.

Using XSS, an attacker could bypass authentication mechanisms, steal session information, and perform session-related attacks like session hijacking and session fixation, and even cause malicious code execution. XSS often leverages weaknesses in a web browser, in which the browser does not know whether the malicious JavaScript or payload can be trusted.

There are multiple types of XSS vulnerabilities:

• *Stored or Persistent or Type 1*: Stored XSS occurs when an attacker can store the XSS payload in the web server or database and the exploitation affects not one but many users of the application.

• *Reflected or Type 2*: In Reflected XSS, the application reflects or executes the payload immediately after the user submits it. In certain cases, a Reflected XSS payload may not even leave the browser.

• *Self XSS*: A Self XSS attack occurs when a user enters a crafted XSS link into their browser, and that link includes an XSS payload that the user’s browser executes. The link could come from an attacker during a phishing or similar attack. Unlike Stored or Reflected XSS, Self XSS payloads come from user input, rather than being stored on or reflected from the server.

• *Document Object Model (DOM) XSS or Type 0*: DOM-based XSS is an advanced type of XSS attack that affects the DOM environment. In a DOM-based XSS attack, the attacker can place a payload execution in the DOM environment or the browser itself. When an application writes the user-supplied input to the DOM environment, it then reads or processes the payload from there and executes it in the browser.

*Note*: For more information on DOM-based XSS, see the [OWASP Cheat Sheet for DOM XSS](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html)

During the tests, while creating a new node, harmful *JavaScript* codes were injected into the `node-label` parameter and it was determined that these *JavaScript* codes were triggered when the node was displayed later, causing *Stored XSS*.

Browser URL

https://pentest24.eastus.cloudapp.azure.com/opennms/rest/requisitions/selfmonitor/nodes

Steps To Reproduce

1-) Login to application and navigate to https://pentest24.eastus.cloudapp.azure.com/opennms/admin/ng-requisitions/quick-add-node.jsp#/ URL.


2-) Fill all the required information to create a node and insert the following payload into *Node Label* field, then click to *Provision* button:
```
cobalt"><script>alert(document.domain)</script>
```


3-) After completing the node creation, navigate to the https://pentest24.eastus.cloudapp.azure.com/opennms/admin/categories.htm URL.


4-) Click a random edit button and observe *JavaScript* codes are triggered.



Severity

medium

An attacker who exploits a cross-site scripting vulnerability is typically able to:

• Impersonate or masquerade as the victim user.

• Carry out any action that the user is able to perform.

• Read any data that the user is able to access.

• Capture the user's login credentials.

• Perform virtual defacement of the web site.

• Inject trojan functionality into the web site.

Suggested Fix

• Require strong input validation. Do not accept untrusted input or HTML content in your application unless required. If needed, perform HTML encoding.

• Always perform output encoding. Do not render or process input as it is. Perform encoding, escaping, or any technique to break the structure of a malicious payload so it is not rendered.

• Use libraries and software components, such as the [OWASP ESAPI](https://owasp.org/www-project-enterprise-security-api/), which provide reusable software components for input validation, escaping, and more.

• Turn off support for HTTP `TRACE` on all web servers.
  Set cookies with the `HttpOnly` flag.

• Use updated JavaScript and Bootstrap libraries.

• Use a securely configured `Content-Security-Policy` (CSP) HTTP header.

1.  

   1.  

      1. References
         [OWASP on XSS Attacks](https://owasp.org/www-community/attacks/xss/)
         [OWASP on Types of XSS](https://owasp.org/www-community/Types_of_Cross-Site_Scripting#)
         [Portswigger on XSS](https://portswigger.net/web-security/cross-site-scripting)
         [OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)

Prerequisites

A valid user account with permission to create node is required.

HTTP Request

POST /opennms/rest/requisitions/selfmonitor/nodes HTTP/1.1

Host: pentest24.eastus.cloudapp.azure.com
Cookie: use_requisitions_node_vertical_layout=false; JSESSIONID=node0tho8csle5alpe57usnv6izp5140404.node0; JSESSIONID=node012qy0df4ys2nonaypt1l3dy9b51193.node0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/plain, /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Content-Type: application/json;charset=utf-8
Content-Length: 290
Origin: https://pentest24.eastus.cloudapp.azure.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

{"foreign-id":"1714069760850","node-label":"cobalt\"><script>alert(document.domain)</script>","interface":[{"ip-addr":"1.1.1.1","snmp-primary":"P","status":"1","meta-data":[],"monitored-service":[]}],"parent-foreign-id":null,"parent-node-label":null,"asset":[],"meta-data":[],"category":[]}

Cobalt URL

#PT22584_5