Uploaded image for project: 'Camunda Optimize'
  1. Camunda Optimize
  2. OPT-3249

Spike: potential Reflected Cross-Site Scripting

    XMLWordPrintable

    Details

    • Type: Security Report
    • Status: Done
    • Priority: L3 - Default
    • Resolution: Won't Fix
    • Affects Version/s: None
    • Fix Version/s: 3.1.0
    • Component/s: backend
    • Labels:
      None
    • Effort:
      Not defined

      Description

      Context:
      When sending the following request to the server, the response reflects the body of the request unfiltered:

      PUT /api/ingestion/event/batch HTTP/1.1
      Host: 192.168.119.105:8443
      Connection: close
      Content-Type: application/json
      Content-Length: 44
      {"timestamp":"<script>alert('XSS')<script>"}
      

      Server response:

      HTTP/1.1 400 Bad Request
      Connection: close
      Date: Mon, 03 Feb 2020 14:28:35 GMT
      Cache-Control: no-store
      Content-Type: text/plain
      Content-Length: 356
      Cannot deserialize value of type `java.lang.Long` from String
      "<script>alert('XSS')<script>": not a valid Long value
      at [Source:
      (org.glassfish.jersey.message.internal.ReaderInterceptorExecutor$UnCloseableI
      nputStream); line: 1, column: 14] (through reference chain:
      java.lang.Object[0]-
      >org.camunda.optimize.dto.optimize.query.event.EventDto["timestamp"])
      

      As can be seen, the Content-Type of the response is set to text/plain. As a result of this, the reflected
      JavaScript code will not be executed in modern browsers. However, if the Content-Type changes in the
      future, this vulnerability might be exploitable.

      See 101908991_Report_Camunda_Pentest_Camunda_BPM_Plattform_+_Camunda_Optimize_v1.0.pdf for more information.

      AT:

      • there is an idea in place on how we can mitigate this problem

        mgm-controller-panel

        This is the controller panel for Smart Panels app

          Attachments

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              johannes.heinemann Johannes Heinemann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Salesforce