Connect with us

Hi, what are you looking for?

Cyber Security

DOM XSS vulnerability in Gartner Peer Insights widget patched

Gartner has patched a DOM XSS vulnerability found in the Peer Insights widget, a security bug researchers reckon dates back to the original development of the software.

In a technical write-up of the flaw, penned by Justin Steven, the software security researcher said that “many websites” were made vulnerable to DOM-based cross-site scripting (XSS) when the widget was present.

The Gartner Peer Insights widget is a marketing tool described as “an aggregated, real-time view of a vendor’s review and ratings in a particular market on Gartner Peer Insights” that industry vendors are invited to host on their site to add market “credibility and drive conversions”.

When a website uses the Gartner widget, it sources widget.js from gartner.com and then creates an event listener for postMessage messages before creating a div for the widget to be displayed in.

A hidden iframe pointed at the Gartner.com domain requests a specific page from gartner.com which would send a postMessage message to the patent page. This message data would be used in constructing HTML content to be populated into the widget’s content div via a function called innerHTML.

Substring shenanigans

Verification occurs through a check for the string “gartner.com” appearing in the origin of the sending website. However, the check could be bypassed by launching an attack from a website such as https://gartner.com.attacker.com, as this still would meet the substring criteria.

Furthermore, the researcher described innerHTML as a DOM XSS “sink” as several XSS triggers would fire upon injection. For example, if a victim visited a malicious website, a crafted message could be pushed via window.postMessage().

“This crafted message could have injected active content, executing arbitrary JavaScript in the context of the website,” Steven said. ”This could have allowed the malicious website to violate the confidentiality and integrity of user data held in the context of the victim site, and allowed it to display arbitrary and harmful content such as a phishing form.”

The attack doesn’t involve sending traffic to the victim website or gartner.com. Instead, this is a client-side attack taking place within a browser window.

Proof-of-Concept (PoC) code, exploit test pages, and a YouTube video demonstrating the bug are now public. Websites previously impacted included Black Kite, Gradle, LogRhythm, SentinelOne, Synopsys, Veeam, and Vodafone, among others.

Steven analyzed code from 2022, but after examining an archived version of the widget said, “it appears to have been vulnerable to the DOM XSS issue from its inception”.

Patch and patch again

Gartner was notified about the problem on November 4, 2022. Four days later, the analyst firm acknowledged the report and asked if the researcher would like to submit the problem to its private bug bounty program on HackerOne.

A tactical fix was released on December 19, followed by a “complete repair” in January. However, Steven provided evidence that these initial patches could be bypassed. So, new fixes were released on January 26 and February 2 to resolve the DOM XSS.

Steven said he wished to post his work as a public advisory. However, Gartner said a bug bounty would not be offered if the research was “publicly disclosed outside the HackerOne program”, and therefore, the researcher declined the offer of a bug bounty, leading to public disclosure on February 3.

Magic quadrant

Speaking to The Daily Swig, Steven said that organizations should consider conducting frequent security reviews of third-party, front-end JavaScript code, which includes widgets, analytics code, trackers, ads, customer support chat, and other functions. Alternatively, they should seek assurance about their vendor’s security process.

Advertisement. Scroll to continue reading.

In any case, the integrity of existing code and risk factors should be considered when implementing new front-end features, according to Steven.

The Daily Swig has reached out to Gartner and we will update this story if and when we hear back.

Copyright 2021 Associated Press. All rights reserved.

Source: https://portswigger.net/daily-swig/dom-xss-vulnerability-in-gartner-peer-insights-widget-patched

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO