3

During a security test I was wondering what the risk classification would be in an authenticated XSS vulnerability. I understand that it depends on classification schemes, so the focus in this question is "what are the leftover risks?" and would that classify (guess-timate) as low, medium, high or critical.

The vulnerability:

An authenticated user can inject JavaScript in a part of the website/application that is only accessible by other authenticated users.

Constraints:

  1. There are different roles/groups of users, but the part of the site is only accessible by a specific group (with different roles).
  2. Authentication cookies have the HTTPonly flag
  3. It is not directly after login, the user needs to actually click through a couple of screens to get to the actually vulnerable part/post
Wealot
  • 879
  • 2
  • 12
  • 25

3 Answers3

1

If you are assigning risk ratings such as low/medium/high, then I usually start off by classifying stored XSS as high risk:

  • There are different roles/groups of users, but the part of the site is only accessible by a specific group (with different roles).

  • Authentication cookies have the HTTPonly flag

These may be mitigating factors for reclassifying it as a medium risk. The question lies whether horizontal privilege escalation offers an attacker any advantage.

e.g. is there private data an attacker could access only available within the compromised session.

If all users in the group can see and affect the same data, then I would not classify it as high risk.

I'm slightly confused by your wording though

specific group (with different roles)

If these roles have access to different things then this would probably be enough to leave it as a high.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
  • The wording is a bit confusing indeed. What it is is that there are 2 roles (poster and admin) that are allowed to view the post that has the XSS. But the users are also divided into "regions" that give them access to region specific posts. So an admin of region A cannot access a post in region B and only has admin rights in region A. So the XSS is very contained to a very specific group of people that would be fairly easily identified (<25 people). Would that then classify as medium? – Wealot Mar 23 '17 at 14:05
1

While CVSS isn't great at estimating specific situations, you can get a good guess-timate.

For authenticated persistent XSS, it would be medium: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

The issue here is that your different roles are effectively meaningless. Any user could perform actions in any of the roles via XSS. How bad that is really depends on your application.

Regarding your constraints:

  1. This is the critical point when classifying the risk for your specific situation. What different roles do the users have? Do some have significantly more rights than others? Can some maybe execute code? Is there private data that should only be read or modified by certain roles? Do you have non-technical mitigations (eg all users signed NDAs, all users are well-trusted, you can identify and sue those that perform attacks, etc).
  2. httpOnly does mitigate some aspects of XSS, but it doesn't really impact the rating.
  3. If it is a very obscure page that nobody really visits, that would reduce the rating, as you have to either be lucky or add social engineering to perform a successful attack. Even in CVSS, you could argue to set user interaction to required (the rating is still medium though).
tim
  • 29,018
  • 7
  • 95
  • 119
  • This was the most total answer to the question. I will classify it as Medium because it takes quite some "extra" circumstances before the vulnerability can be executed, but could potentially create quite a lot of privilege escalation. The users should be trackable, but logging and SIEM hasn't really been implemented correctly yet. – Wealot Mar 23 '17 at 14:11
0

XSS vulnerability lies in "High" or "P1" category.

  1. Cookies with Httponly flag with prevent the injected JavaScript to access the auth cookies but there are various other attacks possible with rogue js (like simple alert)
  2. Role Based access will limit but not eliminate the vulnerability
  3. Location of the vulnerable page will matter a little in case of deciding the priority of the bug.
Vishal
  • 103
  • 3