Skip to content

Instantly share code, notes, and snippets.

@brandonprry

brandonprry/gist:1fec884bc1253e972e77

Last active January 15, 2016 20:59
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save brandonprry/1fec884bc1253e972e77 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save brandonprry/1fec884bc1253e972e77 to your computer and use it in GitHub Desktop.
Download ZIP
Apache Jetspeed 2 Unauthenticated Reflected XSS
Raw
gistfile1.md

During a recent pentest, we came across the Apache Jetspeed 2 HTTP server. After a few hours of testing, I realised that the web application was vulnerable to an unauthenticated reflected XSS attack. However, I was limited, as I could not use < or > in the URL, as Jetspeed would return a 400 Bad Request HTTP response.

I could break out of an attribute that was storing the URL with a double-quote ("), though, so I could control the attributes on a random element. A specially crafted URL could define a style attribute making the arbitrary HTML element take up the entire page, then an onmouseover attribute could execute random javascript. I ended up with a generic URL that looked like this (URL encoded):

http://192.168.0.7:8080/jetspeed/portal/fdsa%22%20%73%74%79%6c%65%3d%22%70%61%64%64%69%6e%67%2d%74%6f%70%3a%35%30%30%30%70%78%3b%64%69%73%70%6c%61%79%3a%62%6c%6f%63%6b%3b%70%6f%73%69%74%69%6f%6e%3a%66%69%78%65%64%3b%74%6f%70%3a%30%3b%6c%65%66%74%3a%30%3b%22%20%6f%6e%6d%6f%75%73%65%6f%76%65%72%3d%22%6a%61%76%61%73%63%72%69%70%74%3a%61%6c%65%72%74%28%31%29%22

If you unencode the URL, the attack becomes obvious:

http://192.168.0.7:8080/jetspeed/portal/fdsa" style="padding-top:5000px;display:block;position:fixed;top:0;left:0;" onmouseover="javascript:alert(1)"

So, it's an 0day right? I thought so when I went to bed that night.

It turns out, someone told Apache about this in 2012. Originally, Jetspeed DID allow < and > in the URI. This was reported in 2007 as an XSS vulnerability and the fix seems to be to return a 400 Bad Request when they are introduced in the URI. However, in 2012, someone messaged the Jetspeed dev mailing list, showing basically the technique I came up with to achieve javascript execution. They recieved an out of office email, and no subsequent replies.

https://mail-archives.apache.org/mod_mbox/portals-jetspeed-dev/201210.mbox/%[email protected]%3E

Caveats

IE and Chrome both have client side XSS protections that make this attack difficult, but Firefox by default has no problem.

@brandonprry
Copy link
Author

brandonprry commented Jan 15, 2016

xss

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment