IP-DOT LTD, a renowned developer of sophisticated computer systems, faces a critical security concern within their BuildaGate v5 application. Idan Malihi and Yaniv Azran, security researchers at CyFox XDR, have identified a Cross-Site Scripting (XSS) vulnerability, exposing a pathway for remote attackers to execute arbitrary code by crafting a malicious script and injecting it into the URL, giving them unauthorized access to the victim’s browser. The consequences of this XSS vulnerability are far-reaching, encompassing credential theft, session jacking, and website defacement. Swift action is imperative to protect users and the organization’s reputation from the potential fallout of this security lapse.

In today’s connected digital world, cyber threats can wreak havoc on individuals, organizations, and even nations.

IP-DOT LTD specializes in developing and implementing sophisticated computer systems, catering specifically to decision-makers within progressive enterprises and organizations. Their expertise spans various advanced environments, encompassing web application solutions, corporate portals, content-rich websites, image websites, information management systems, library management software, commercial arenas, shopping malls and electronic stores, forums, surveys, e-Learning, etc.

IP-DOT LTD has garnered a reputation for delivering a diverse range of advanced off-the-shelf products tailored to the needs of medium-sized businesses and organizations. Furthermore, they offer complementary capabilities that augment the functionality of ERP systems utilized by large organizations worldwide.

What is Cross-Site Scripting (XSS)?

XSS (cross-site scripting) is a critical application vulnerability where a malicious JavaScript code is injected into a webpage viewed by users. The danger arises when the application fails to validate inputs from injection vulnerabilities, thereby providing an opening for attackers to exploit.

By exploiting this vulnerability, attackers can inject and execute JavaScript code, enabling them to carry out a range of malicious actions. These actions may include data theft, unauthorized access to sensitive information, manipulation of user sessions, and other nefarious activities that compromise the security and integrity of the application and its users.

One of the most straightforward instances of XSS occurs when an application utilizes data from parameters or input fields without properly checking or escaping the data itself. To illustrate, consider a PHP script responsible for extracting the value of the “mc” parameter from the search string and then directly reflecting this value on the corresponding web page.

When making a request to” index.php?mc=example”, the search value is displayed on the page as “Search results for: blah.” However, a critical vulnerability arises when the “mc” parameter is manipulated to contain JavaScript code instead of a valid value. In such cases, the injected JavaScript will also be rendered within the page’s body and subsequently executed.

‍

‍

Result:

The code is injected successfully. This particular security vulnerability is known as “reflected XSS.” The injected script is not stored on any server; instead, the attacker aims to trick the victim into making an insecure request to a page that will inadvertently execute the malicious code. For instance, this could be achieved by enticing the victim to click on a malicious link.

It’s important to note that the objective here is not to display the form but to demonstrate XSS’s presence. This method serves as a simple yet effective means to validate and confirm the exploit’s existence, highlighting the significance of addressing and rectifying these vulnerabilities to ensure the overall security and protection of the application and its users.

There are 4 different types of XSS

• Stored XSS represents a highly perilous form of cross-site scripting, where malevolent JavaScript code is permanently stored on the web server or database. When unsuspecting users access the compromised page or data, this malicious code is executed within their web browsers. This opens the door to a range of potential attacks, such as the unauthorized theft of cookies or session hijacking.
  
  Stored XSS is the most dangerous among the four types of XSS vulnerabilities. The severity arises from the fact that any user visiting the same vulnerable website can fall victim to the attacker’s malevolent code. This widespread impact greatly magnifies the risks and underscores the critical importance of swiftly addressing and mitigating such vulnerabilities.
• Reflected XSS is a transient cross-site scripting attack where JavaScript code is embedded in a URL or input and reflected back to users without proper validation. When users click on a malicious link to interact with the tainted input, the embedded script executes in their browser, potentially leading to unauthorized actions like data theft or session hijacking. Unlike Stored XSS, a Reflected XSS vulnerability, is not persistent, only affecting those who encounter the manipulated link or input directly. To mitigate Reflected XSS, robust input validation and output encoding are essential to safeguard users from falling prey to these fleeting yet hazardous exploits.
• Dom XSS is a type of cross-site scripting where the vulnerability lies in client-side JavaScript code, and the injection targets the page’s Document Object Model (DOM). The injected malicious script modifies the DOM, resulting in unpredictable behavior and data manipulation. Unlike other XSS types, DOM XSS doesn’t send the JavaScript code to the server, rendering server-side security measures ineffective. This makes DOM-based vulnerabilities particularly challenging to address, as traditional server-side defenses cannot fully protect against them.
• Blind XSS is an XSS vulnerability where the injected script executes, but the attacker can’t directly observe the outcomes. Instead, the attacker may need a secondary channel or indirect means to view the response. Detecting and mitigating Blind XSS can be complex since the results aren’t immediately visible to the attacker. This delay in feedback makes it challenging to ascertain the success of the exploit and emphasizes the importance of thorough security testing to identify and address such hidden vulnerabilities.

Explanation about the CVE-2023-36163

The cross-Site Scripting vulnerability in IP-DOT BuildaGate v.5 that we have identified enables remote attackers to execute arbitrary code by crafting a malicious script and injecting it into the  “mc” parameter of the URL. As a result, the attacker can gain unauthorized access to the application.

The attacker can easily exploit this vulnerability by identifying the vulnerable parameter and injecting malicious JavaScript code like this:
‘><script>prompt(“XSS”);</script><div id=”aa’

Once the injection is prepared, the attacker simply sends the complete URL, containing the crafted JS code, to the victim, for example:
https://vulnerable_website/BuildaGate5library/general2/company_search_tree.php?mc=aaa’><script>prompt(“XSS“);</script><div id=”aaaa

When the victim accesses the compromised URL, their browser becomes susceptible to the injected code, leading to the execution of the malicious script. This type of attack empowers the attacker to perform unauthorized actions on the victim’s browser, potentially compromising sensitive data or initiating further malicious activities.

Impact of Reflected Cross-Site Scripting

The consequences of this vulnerability can be severe, including:

• Credentials Theft: A malicious attacker can exploit the reflected XSS vulnerability on a widely-used website. When unsuspecting users click on the attacker’s link containing the JavaScript code, their login credentials (username and password) become exposed and fall into the hands of the attacker. Armed with this stolen information, the attacker gains unauthorized access to the user’s accounts, potentially leading to identity theft, unauthorized transactions, and further security breaches.
• Session Hijacking: Leveraging a reflected XSS vulnerability on a prominent website, attackers can exploit users who click on a link embedded with malicious JavaScript code. This grants them unauthorized access to the victims’ active sessions. Consequently, attackers can impersonate users, post content on their behalf, send messages, and access sensitive information. Swift remediation of this vulnerability is vital to protect users from unauthorized account access and potential privacy violations.
• Website Defacement: Capitalizing on a reflected XSS vulnerability in a widely-used website, attackers can manipulate certain pages to inject malicious scripts. As users access these compromised pages, the attacker effectively defaces the website’s content, displaying personal messages or offensive material. This form of attack can tarnish the website’s reputation, cause distress to users, and negatively impact the organization’s brand image.