Details
L3 - Default Description
Context:
When sending the following request to the server, the response reflects the body of the request unfiltered:
PUT /api/ingestion/event/batch HTTP/1.1
Host: 192.168.119.105:8443
Connection: close
Content-Type: application/json
Content-Length: 44
{"timestamp":"<script>alert('XSS')<script>"}
Server response:
HTTP/1.1 400 Bad Request Connection: close Date: Mon, 03 Feb 2020 14:28:35 GMT Cache-Control: no-store Content-Type: text/plain Content-Length: 356 Cannot deserialize value of type `java.lang.Long` from String "<script>alert('XSS')<script>": not a valid Long value at [Source: (org.glassfish.jersey.message.internal.ReaderInterceptorExecutor$UnCloseableI nputStream); line: 1, column: 14] (through reference chain: java.lang.Object[0]- >org.camunda.optimize.dto.optimize.query.event.EventDto["timestamp"])
As can be seen, the Content-Type of the response is set to text/plain. As a result of this, the reflected
JavaScript code will not be executed in modern browsers. However, if the Content-Type changes in the
future, this vulnerability might be exploitable.
See 101908991_Report_Camunda_Pentest_Camunda_BPM_Plattform_+_Camunda_Optimize_v1.0.pdf
for more information.
AT:
- there is an idea in place on how we can mitigate this problem