Security issues for webconsole reported by IBMAPPSCAN tool

classic Classic list List threaded Threaded
1 message Options
ashfaq ashfaq
Reply | Threaded
Open this post in threaded view
|

Security issues for webconsole reported by IBMAPPSCAN tool

Hi ,

We are working on ignite on Kubernetes environment and using
Ignite-web-console for querying. When we ran security scan on Ignite web
console there are some security issues reported by the scans. Below are the
issues. All the below issue are reported as HIGH severity.

Could you please let me know if any of these issues are known issues and are
being fixed. If so , please share the release version in which these will be
fixed.


*1. Cross-Site Scripting*

URL: https://xx.xx.xx.xx/api/v1/configuration/clusters/
Entity: (Page)
Risk: It may be possible to steal or manipulate customer session and
cookies, which might be used to
impersonate a legitimate user, allowing the hacker to view or alter user
records, and to perform
transactions as that user
Causes: Sanitation of hazardous characters was not performed correctly on
user input

Difference: Path manipulated from: /api/v1/configuration/clusters/ to:
/api/v1/configuration/clusters/%22%3e%3cscript%3ealert%282176%29%3c%2fscript%3e
Reasoning: The test result seems to indicate a vulnerability because Appscan
successfully embedded
a script in the response, which will be executed when the page loads in the
user's browser.
Raw Test Response:


...
X-XSS-Protection: 1; mode=block
Content-Length: 100
X-Content-Type-Options: nosniff
Cache-Control: must-revalidate
Strict-Transport-Security: max-age=15724800; includeSubDomains
X-Powered-By: Express
ETag: W/"64-whlLflliupqQjcgi+KGMzaGUR6I"
Date: Wed, 08 May 2019 16:15:49 GMT
Expires: -1
Content-Type: text/html; charset=utf-8
Cast to ObjectId failed for value "">" at path "_id" for model
"Cluster"



*2. Oracle Application Server PL/SQL Unauthorized SQL Query Execution*


URL: https://xx.xx.xx.xx/api/
Entity: owa_util.signature (Page)
Risk: It is possible to view, modify or delete database entries and tables
Causes: Insecure web application programming or configuration

Difference: Method manipulated from: POST to: GET
Path manipulated from: /api/v1/user to: /api/owa_util.signature
Reasoning: AppScan requested a file which is probably not a legitimate part
of the application. The
response status was 200 OK. This indicates that the test succeeded in
retrieving the
content of the requested file.
Raw Test Response:


...
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko)
Chrome/70.0.3538.102 Safari/537.36
Referer: https://xx.xx.xx.xx/
Connection: keep-alive
Host: xx.xx.xx.xx
Origin: https://xx.xx.xx.xx
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.9
HTTP/1.1 200 OK
Last-Modified: Tue, 02 Apr 2019 12:35:57 GMT
x-ua-compatible: IE=Edge
Connection: keep-alive
X-XSS-Protection: 1; mode=block
Accept-Ranges: bytes
Vary: Accept-Encoding
Vary: Accept-Encoding
Content-Length: 1370
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=15724800; includeSubDomains
content-language: en
ETag: "5ca3572d-55a"
Date: Wed, 08 May 2019 16:08:33 GMT
Content-Type: text/html
<!DOCTYPE html><html><head><base href="/"><meta http-equiv="content-type"
content="text/html;
charset=utf-8"><meta http-equiv=&quot;content-language&quot;
content=&quot;en...
...



&lt;b>3. Oracle Application Server PL/SQL Unauthorized SQL Query Execution*


URL: https://xx.xx.xx.xx/api/
Entity: owa_util.listprint (Page)
Risk: It is possible to view, modify or delete database entries and tables
Causes: Insecure web application programming or configuration

Difference: Method manipulated from: POST to: GET
Path manipulated from: /api/v1/user to: /api/owa_util.listprint
Query manipulated from: to:
p_theQuery=SELECT%20*%20FROM%20SYS.TAB&p_cname=&p_nsize=
Reasoning: AppScan requested a file which is probably not a legitimate part
of the application. The
response status was 200 OK. This indicates that the test succeeded in
retrieving the
content of the requested file.
Content-Type: text/html
<!DOCTYPE html><html><head><base href="/"><meta http-equiv="content-type"
content="text/html;
charset=utf-8"><meta http-equiv="content-language" content="en...
...
Raw Test Response:

...
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko)
Chrome/70.0.3538.102 Safari/537.36
Referer: https://xx.xx.xx.xx/
Connection: keep-alive
Host: xx.xx.xx.xx
Origin: https://xx.xx.xx.xx
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.9
HTTP/1.1 200 OK
Last-Modified: Tue, 02 Apr 2019 12:35:57 GMT
x-ua-compatible: IE=Edge
Connection: keep-alive
X-XSS-Protection: 1; mode=block
Accept-Ranges: bytes
Vary: Accept-Encoding
Vary: Accept-Encoding
Content-Length: 1370
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=15724800; includeSubDomains
content-language: en
ETag: "5ca3572d-55a"
Date: Wed, 08 May 2019 16:08:33 GMT
Content-Type: text/html
<!DOCTYPE html><html><head><base href="/"><meta http-equiv="content-type"
content="text/html;
charset=utf-8"><meta http-equiv=&quot;content-language&quot;
content=&quot;en...
...


&lt;b>4. SQL Injection File Write (requires user verification)*

URL:
https://xx.xx.xx.xx/assets/templates/confirm.tpl.164bcc1d08730e53bccd623695ce4351.html
Entity: xx.xx.xx.xx (Page)
Risk: It is possible to run remote commands on the web server. This usually
means complete
compromise of the server and its contents
Causes: Sanitation of hazardous characters was not performed correctly on
user input

Difference:
Reasoning: The user needs to verify whether this test succeeded or not.
Please see the advisory for
more details.
<!DOCTYPE html><html><head><base href="/"><meta http-equiv="content-type"
content="text/html;
charset=utf-8"><meta http-equiv="content-language" content="en...
...
Raw Test Response:

HTTP/1.1 200 OK
Last-Modified: Tue, 02 Apr 2019 12:35:57 GMT
Connection: keep-alive
X-XSS-Protection: 1; mode=block
Accept-Ranges: bytes
Vary: Accept-Encoding
Vary: Accept-Encoding
Content-Length: 1057
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=15724800; includeSubDomains
ETag: "5ca3572d-421"
Date: Wed, 08 May 2019 16:08:26 GMT
Content-Type: text/html
<div class="modal modal--ignite theme--ignite" tabindex="-1"
role="dialog"><div class="modaldialog
modal-dialog--adjust-height"><div class="modal-content"><div
class="modal-header">
Confirmation
<button class="close" type="button" arialabel="
Close" ng-click="confirmCancel()"><svg
ignite-icon="cross"></svg></button></div><div
class="modal-body" ng-show="content"><p
ng-bind-html="content"></p></div><div class="modalfooter"><
div><button class="btn-ignite btn-ignite--link-success"
id="confirm-btn-cancel" ngclick="
confirmCancel()">Cancel</button><button class="btn-ignite
btn-ignite--link-success"
id="confirm-btn-no" ng-if="yesNo" ng-click="confirmNo()">No</button><button
class="btn-ignite
btn-ignite--success" id="confirm-btn-yes" ignite-auto-focus**CONFIDENTIAL
1**-auto-focus" ngif="
yesNo" ng-click="confirmYes()">Yes</button><button class="btn-ignite
btn-ignite--success"
id="confirm-btn-ok" ignite-auto-focus**CONFIDENTIAL 1**-auto-focus"
ng-if="!yesNo" ngclick="
confirmYes()">Confirm</button></div></div></div></div></div>...







--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/