ServiceNow ITSM Cross Site Scripting
Posted on 13 June 2016
*Overview-----------------------------------------------------------------------------------------------------------------------* Vendor: ServiceNow Vulnerable Product: ServiceNow IT Service Management (ITSM) Vulnerability Type: Multiple Cross Site Scripting Vulnerability Vendor Homepage: http://www.servicenow.com/products/it-service-management.html CVE-ID: NA Severity: High Author: Omkar Joshi Vulnerability Reported: 06/02/2016 Response From Vendor: 06/03/2016 Vendor Confirmation: 06/03/2016 Patch Released: Not yet *Product Description---------------------------------------------------------------------------------------------------------------------* ServiceNow ITSM solutions give you end to end visibility into your ITIL processes and infrastructure through a single system of record — making it possible to consolidate fragmented tools and legacy systems while automating service management processes. ServiceNow is easy to configure and allows you to go live quickly with confidence, while scaling to your business needs. With a simple and consistent approach, you increase efficiency, lower costs, and devote more time to innovating and delivering the modern, consumer‑like, self‑service experience your employees expect. *Proof Of Concept URL-----------------------------------------------------------------------------------------------------------------------Stored Cross Site Scritping ->*https://XXX.service-now.com/navpage.do (My Profile) https://XXX.service-now.com/XXX_ess/home.do?sysparm_cancelable=true (My Portal) *Reflected Cross Site Scripting ->* https://XXX.service-now.com/XXX_ess/search_results.do?sysparm_search= (My Portal Search Bar) *Credits & Authors* ------------------------------------------------------------------------------------------------------------------ Omkar Joshi *Steps to Reproduce:* *Attack Scenario: Stored Cross Site Scripting* Step 1. Login into ServiceNow Step 2: Go to My Profile. Step 3: Insert XSS payload in "First Name" & "Last Name" parameter of My Profile. I have used "><img src=x onerror=prompt(1);> and "><img src=x onerror=prompt(document.cookie);> XSS payload Step 4: Then click on Update Step 5: Whenever anyone try to visit dashboard or navigate pages of ServiceNow XSS Script will get execute. *Attack Scenario: Reflected Cross Site Scripting*Step 1. Login into ServiceNow Step 2: Go to My Portal. Step 3: Insert XSS payload in "Search" bar of My Portal. I have used "><img src=x onerror=prompt("XSS");> and "><img src=x onerror=prompt(1);> XSS payload Step 4: Then click on Search, XSS Script will get execute. *Impact of attack:* An attack can perform Cross Site Scripting attack and steal the cookie of other active sessions. An attacker would exploit a vulnerability within a website or web application that the victim would visit, essentially using the vulnerable website as a vehicle to deliver a malicious script to the victim’s browser. An attacker might be able to put stored XSS into the website. https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) *Recommendation:* Use an appropriate combination of white listing and blacklisting to ensure only valid and expected input is processed by the system. Furthermore, classes within the output tag libraries should also be modified to encode potentially dangerous characters with their HTML escape Counter parts. For more information refer the following link https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet