Check Marx finds critical gaps in help Desk Software XSS vulnerability in the Deskpro documented
In spite of all the initiatives to secure Software development, Cross-Site are widely used Scripting, short-XSS-vulnerabilities continue to be. Helpdesk Software Deskpro, which have taken the Security experts from check to Marx, under the microscope, is a good example of this.
Companies
A XSS vulnerability in the Helpdesk Software Deskpro check Marx, among other things, the Admin was able to take meetings.
(© NicoElNino – stock.adobe.com)
In the Wake of the Corona pandemic and the relocation of jobs to the home office, the demand for smart Helpdesk and Collaboration solutions is increasing rapidly. With this Boom, the check Marx’s Security Research Team, check the safety of Deskpro decided to.
The Security experts have discovered in the world’s most widely used solution to a dangerous Cross-Site Scripting vulnerability. Cyber criminals have they can take advantage of multiple Ways to hijack the sessions of administrators or to take over the accounts of help Desk Agents.
Complementary to the theme
The weak point in the Overview
Scenario 1: Acquisition of Admin Sessions
As a help Desk solution Deskpro track of every Session, the activities of the user and transmits between the Support staff and the Client with the collected data in a Payload. This contains various Details about visited pages, such as the URL, page title and the page from which the user came. With these data Deskpro then creates statistics, which are the administrators of the built-in Dashboard “Ticket Insight” available.
Exactly at this point, cyber criminals were able to set their leverage by inserting unnoticed arbitrary Code in a so-called “requestpage title”query. The data is then stored in the Deskpro database, and will always be loaded when the Widget “Top KB Views” is rendered. In this case, the Code is executed in the context of a browser and a modal dialog box in the Admin Backend to be displayed.
Attackers can exploit this function, of course, easily, by embedding malicious code in requests and the Session Token of the administrator on one of them controlled by the Server. This works, although the session Cookie has the httpOnly Flag – because its value via JavaScript available, adding to the global, hard-coded Variable DESKPRO_SESSION_CODE is accessed.
The attackers have compromised the session code, the administrator, you can place it in your own Browser and in the role and the Rights of the Admins of the unauthorized actions. In this way, you gain access to the entire System – on customer data, inputs of Agents (Tickets, CRM, etc.) as well as on the system configuration (such as SMTP Server credentials). In certain constellations, they are even in the position, the help Desk is fully reset and delete all system data.
Scenario 2: abuse of Supporter account
Check to Marx, but experts have found another way, how Criminals access to a Deskpro instance can provide – in this case, with the Agent Right of Supporters. Also a Payload with malicious code in the Deskpro is introduced, like the previously described “Admin Hack”-database.
A Dashboard Widget “Top KB-views” (e.g., the built-in Dashboard “Ticket Insights opens the Agent”), the script is executed. According to this embodiment, the malicious script adds to the account of the agent without a dedicated warning message automatically to a second, from the attacker-controlled E-Mail address. The required request Token can be found in the global Variable DP_REQUEST_TOKEN.
To hijack the account of the Support Agents, the attacker then on the login page of the Agents. There, he starts the password recovery and its own E-Mail address that has previously been on the malicious Payload on the inside. The attacker receives an E-Mail with a Link to Reset the password in his Inbox.
After that, he is able to, on the account of the agent to access and actions on its behalf to carry out. To do this, the attacker needs to remove only the original E-Mail address of the regular Supporters, his address to the primary address. For the legitimate Agent, it is then no longer possible to be in control of the account back.
As a Software provider from XSS can protect
A protection against the infiltrations only correct data encoding/Escaping offers according to the output context, typically before they are entered with Markup templates or to the Document Object Model (DOM) is appended. The use of Inline scripts inevitable, should be used so-called cryptographic Nonces in order to create the necessary Inline scripts in a dedicated permission list.
In addition, it is recommended to authenticate users, in some cases, again, for example, if you perform sensitive actions. The Change of E-Mail addresses associated with one account, for example. The account owner should be informed in real time about such Changes. So he can act in case of suspicious activities directly and in a timely manner.
Fix a vulnerability in record time
After the experts of the check, Marx had discovered the vulnerability and validated, they informed Deskpro at 31. October 2020 and supported the Helpdesk providers to fix the vulnerability. Deskpro has responded in record time-with a Patch, the Palace, the described gaps: On 9. November 2020 the Problem was solved.
Christopher Brennan (Image: Check Marx)
Although they are documented as old as the Application Security and well, belong to XSS vulnerabilities continues to be one of the most overlooked and most dangerous problems. Testing of application security, how you offers about check Marx, are the key to the Detection of XSS vulnerabilities. Thus, these solutions are essential to create secure Software, and to wait.
* Dr. Christopher Brennan is the Director of the ROOF at the time of check Marx.
Complementary to the theme
Word Wise: Deskpro
(ID:47292139)
