Overview
The apiida API Gateway Manager login screen (Tested on v2023.2.2) is vulnerable to a Reflected XSS. The XSS is found in a hidden input field. However injecting the “<” or “>” character with any text after it is removed by the application. This makes it impossible to create a new JavaScript payload. It is however possible to inject new attributes in this hidden input field because of “ not being removed/encoded. This makes it possible to inject arbitrary JavaScript in the hidden type attribute.
Setup
The apiida API Gateway Manager software should be downloaded (https://apiida.com/product/apiida-api-gateway-manager/) and installed. There is a 30 day free trial available. Setting it up can be done by following the instructions (https://www.youtube.com/watch?v=0glynREqRcc). Do not select any different authentication method but keep the standard after setup. As shown in the image below.
Vulnerability steps
After the setup it should now be possible to visit the login page. If using Docker it can be found by navigating to https://localhost/:
Checking the source code of the login page will show multiple hidden parameters, including one called requestBeforeLogin without a value:
Navigating to https://localhost/?requestBeforeLogin=test will show that test has been added to the requestBeforeLogin parameter:
Next step is to add a new attribute and trying to break out of the hidden form to receive HTML injection.
HTML Payload:
test"%20newAttribute="attribute1"><h1>Text</h1><":
Navigating to https://localhost/?requestBeforeLogin=test“%20newAttribute=”attribute1″><h1>Text</h1><“ Will show that the newattribute has indeed been added and that “ is not encoded:
The other attribute such as <h1> and </h1> have been removed however making it only possible to inject JavaScript in the hidden form.
Injecting XSS in hidden input fields can be difficult to exploit because of it being hidden. This means onmouseover, onfocus, onload, etc will not work. There is a way where it can be exploited by using the accesskey attribute (FireFox was used). More information on this can be found here (https://portswigger.net/research/xss-in-hidden-input-fields).
In this case you have the trick the user into pressing a certain combination of buttons. In the apiida gateway manager it is possible to also inject a text message after the XSS payload which might trick the user into pressing the buttons.
XSS Payload:
%22%20accesskey=%22X%22%20onclick=%22alert(%27Succesfull%20XSS%27)%22%3E%20Press%20ALT+SHIFT+X%20to%20see%20something%20cool
Navigating to https://localhost/?requestBeforeLogin=%22%20accesskey=%22X%22%20onclick=%22alert(%27Succesfull
%20XSS%27)%22%3E%20Press%20ALT+SHIFT+X%20to%20see%20something%20cool Will have the XSS payload including the phishing message shown in the image below:
Now when the user presses ALT+SHIFT+X the XSS payload gets executed:
CVSSv3.1 Score
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N – (4.3)
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50092
https://apiida.com/product/apiida-api-gateway-manager/
https://portswigger.net/research/xss-in-hidden-input-fields
https://www.youtube.com/watch?v=0glynREqRcc
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N