yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1829594] [NEW] Find XSS issue in test

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Xianghui Zeng <1829594@xxxxxxxxxxxxxxxxxx>
Date: Sat, 18 May 2019 04:12:54 -0000
Reply-to: Bug 1829594 <1829594@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

Using webinspect tool to test, the test results show that there is XSS
issues.

Critical Issues
Cross-Site Scripting: Reflected ( 5649 )  View Description
CWE: 79,80,82,83,87,116,692,811
Kingdom: Input Validation and Representation

Page:
Parameter: $.auth.scope.project.id
Request:
POST /v3/auth/tokens HTTP/1.1
Host: 10.62.48.69
Content-Length: 336
Cache-Control: no-cache
User-Id: fcebae72c7b34e259be8f003499a4bd1
Pragma: no-cache
Origin: https://10.62.48.69
Project-Id: 14f32da561324e2c8790c60558844a0a
Access-Token: gAAAAABcwW-3ahN06YGt69MyU4GULjxlkWAzC0w5eYf88JqK07CKjdmNWZo42VLhMLS308BEH98vIcD3aCXJ9XlJn
ByuVvkqJYRjqSS2DLJBr0s6UHMBPsQlotM0_2w_fmn9Xhx0-lftDvdn9xO9Kn_zwuY2Odb7GQ
Content-Type: application/json
Accept: application/json, text/plain, */*
X-Auth-Token: gAAAAABcwW_XT5iUG2uH0kSm_594hJb-k1_utLvDp1DTPB-ZNByJ0CZLYwCwH8V7vufMASXtt6L0KlXLL_rQdFYjleCF7rai5WxpAsY1SwjejsIvKBU05m1jmi_AVJKzI
CXnZC7vcM0AwHQ1v_ZEasXDeKFkwz7W2Dp8QymzUBoQMlwRX6Ta9yWAWk-M9LxWD3GtzLIOoOzR
IsScopeDomain: false
siderbarBoolMsg: cloudManagementViewBool
If-Modified-Since: Mon, 26 Jul 1997 05:00:00 GMT
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/62.0.3202.89 Safari/537.36
operateuser: admin
Referer: https://10.62.48.69/ngportal/login
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: Keep-Alive
X-WIPP: AscVersion=18.20.178.0
X-Scan-Memo: Category="Audit.Attack"; SID="C13A9BA9ACA4260D094783D9B4A13852"; 
PSID="2BA1D619C8CFF66416259BDDB34002B6"; SessionType="AuditAttack"; CrawlType="None"; 
AttackType="PostSubParamInjection"; OriginatingEngineID="1354e211-9d7d-4cc1-80e6-4de3fd128002"; AttackSequence="13"; AttackParamDesc="%24.auth.scope.project.id"; 
AttackParamIndex="0"; AttackParamSubIndex="2"; CheckId="5105"; Engine="Cross+Site+Scripting"; 
SmartMode="NonServerSpecificOnly"; AttackString="14f32da561324e2c8790c60558844a0a%253c%
2573%2543%2572%2549%2570%2554%2520%2574%2559%2570%2545%253d%2574%2545%
2578%2554%252f%2576%2542%2573%2543%2572%2549%2570%2554%253e%254d%2573%
2567%2542%256f%2578%2528%2537%2532%2532%2534%2533%2529%253c%252f%2573%
2543%2572%2549%2570%2554%253e"; AttackStringProps="Attack"; ThreadId="493";
ThreadType="AuditorStateRequestor"; 
X-RequestManager-Memo: RequestorThreadIndex="6"; sid="825"; smi="0"; sc="1"; ID="dc87d526-e838-4f7c-9b79-94723727e38a"; 
X-Request-Memo: ID="520187c2-3597-4998-a2eb-68db0ae93a5b"; sc="1"; ThreadId="493"; 
Cookie: CustomCookie=WebInspect0
{"auth":{"identity":{"methods":["token"],"token":{"id":"gAAAAABcwW-3ahN06YGt69MyU4GULjxlkWAzC0w5eYf88JqK07CKjdmNWZo42VLhMLS308BEH98vIcD3aCXJ9XlJn
ByuVvkqJYRjqSS2DLJBr0s6UHMBPsQlotM0_2w_fmn9Xhx0-lftDvdn9xO9Kn_zwuY2Odb7GQ"}},"scope":{"project":
{"id":"14f32da561324e2c8790c60558844a0a<sCrIpT tYpE=tExT\/vBsCrIpT>MsgBox(72243)
<\/sCrIpT>"}}}}
Response:
HTTP/1.1 401 Unauthorized
Server: IAGV3.06.01
Date: Thu, 25 Apr 2019 09:13:44 GMT
Content-Type: application/json
Content-Length: 226
Connection: keep-alive
Vary: X-Auth-Token
x-openstack-request-id: req-1b47ef10-ece1-41b1-8b56-88a4aba415b0
WWW-Authenticate: Keystone uri="https://10.62.48.69";
...TRUNCATED...not find project: 14f32da561324e2c8790c60558844a0a <sCrIpT 
tYpE=tExT/vBsCrIpT>MsgBox(72243)</sCrIpT>  (Disable insecure_debug mode to suppress these
de...TRUNCATED...

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1829594

Title:
  Find XSS issue in test

Status in OpenStack Identity (keystone):
  New

Bug description:
  Using webinspect tool to test, the test results show that there is XSS
  issues.

  Critical Issues
  Cross-Site Scripting: Reflected ( 5649 )  View Description
  CWE: 79,80,82,83,87,116,692,811
  Kingdom: Input Validation and Representation

  Page:
  Parameter: $.auth.scope.project.id
  Request:
  POST /v3/auth/tokens HTTP/1.1
  Host: 10.62.48.69
  Content-Length: 336
  Cache-Control: no-cache
  User-Id: fcebae72c7b34e259be8f003499a4bd1
  Pragma: no-cache
  Origin: https://10.62.48.69
  Project-Id: 14f32da561324e2c8790c60558844a0a
  Access-Token: gAAAAABcwW-3ahN06YGt69MyU4GULjxlkWAzC0w5eYf88JqK07CKjdmNWZo42VLhMLS308BEH98vIcD3aCXJ9XlJn
  ByuVvkqJYRjqSS2DLJBr0s6UHMBPsQlotM0_2w_fmn9Xhx0-lftDvdn9xO9Kn_zwuY2Odb7GQ
  Content-Type: application/json
  Accept: application/json, text/plain, */*
  X-Auth-Token: gAAAAABcwW_XT5iUG2uH0kSm_594hJb-k1_utLvDp1DTPB-ZNByJ0CZLYwCwH8V7vufMASXtt6L0KlXLL_rQdFYjleCF7rai5WxpAsY1SwjejsIvKBU05m1jmi_AVJKzI
  CXnZC7vcM0AwHQ1v_ZEasXDeKFkwz7W2Dp8QymzUBoQMlwRX6Ta9yWAWk-M9LxWD3GtzLIOoOzR
  IsScopeDomain: false
  siderbarBoolMsg: cloudManagementViewBool
  If-Modified-Since: Mon, 26 Jul 1997 05:00:00 GMT
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) 
  Chrome/62.0.3202.89 Safari/537.36
  operateuser: admin
  Referer: https://10.62.48.69/ngportal/login
  Accept-Encoding: gzip, deflate, br
  Accept-Language: zh-CN,zh;q=0.9
  Connection: Keep-Alive
  X-WIPP: AscVersion=18.20.178.0
  X-Scan-Memo: Category="Audit.Attack"; SID="C13A9BA9ACA4260D094783D9B4A13852"; 
  PSID="2BA1D619C8CFF66416259BDDB34002B6"; SessionType="AuditAttack"; CrawlType="None"; 
  AttackType="PostSubParamInjection"; OriginatingEngineID="1354e211-9d7d-4cc1-80e6-4de3fd128002"; AttackSequence="13"; AttackParamDesc="%24.auth.scope.project.id"; 
  AttackParamIndex="0"; AttackParamSubIndex="2"; CheckId="5105"; Engine="Cross+Site+Scripting"; 
  SmartMode="NonServerSpecificOnly"; AttackString="14f32da561324e2c8790c60558844a0a%253c%
  2573%2543%2572%2549%2570%2554%2520%2574%2559%2570%2545%253d%2574%2545%
  2578%2554%252f%2576%2542%2573%2543%2572%2549%2570%2554%253e%254d%2573%
  2567%2542%256f%2578%2528%2537%2532%2532%2534%2533%2529%253c%252f%2573%
  2543%2572%2549%2570%2554%253e"; AttackStringProps="Attack"; ThreadId="493";
  ThreadType="AuditorStateRequestor"; 
  X-RequestManager-Memo: RequestorThreadIndex="6"; sid="825"; smi="0"; sc="1"; ID="dc87d526-e838-4f7c-9b79-94723727e38a"; 
  X-Request-Memo: ID="520187c2-3597-4998-a2eb-68db0ae93a5b"; sc="1"; ThreadId="493"; 
  Cookie: CustomCookie=WebInspect0
  {"auth":{"identity":{"methods":["token"],"token":{"id":"gAAAAABcwW-3ahN06YGt69MyU4GULjxlkWAzC0w5eYf88JqK07CKjdmNWZo42VLhMLS308BEH98vIcD3aCXJ9XlJn
  ByuVvkqJYRjqSS2DLJBr0s6UHMBPsQlotM0_2w_fmn9Xhx0-lftDvdn9xO9Kn_zwuY2Odb7GQ"}},"scope":{"project":
  {"id":"14f32da561324e2c8790c60558844a0a<sCrIpT tYpE=tExT\/vBsCrIpT>MsgBox(72243)
  <\/sCrIpT>"}}}}
  Response:
  HTTP/1.1 401 Unauthorized
  Server: IAGV3.06.01
  Date: Thu, 25 Apr 2019 09:13:44 GMT
  Content-Type: application/json
  Content-Length: 226
  Connection: keep-alive
  Vary: X-Auth-Token
  x-openstack-request-id: req-1b47ef10-ece1-41b1-8b56-88a4aba415b0
  WWW-Authenticate: Keystone uri="https://10.62.48.69";
  ...TRUNCATED...not find project: 14f32da561324e2c8790c60558844a0a <sCrIpT 
  tYpE=tExT/vBsCrIpT>MsgBox(72243)</sCrIpT>  (Disable insecure_debug mode to suppress these
  de...TRUNCATED...

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1829594/+subscriptions
Follow ups

[Bug 1829594] Re: Find XSS issue in test
From: Launchpad Bug Tracker, 2019-07-20