CVE-2022-4105 - Kiwi Test Plan Stored XSS Exploit for UI Redressing and Disabling History Page

Recently, an important security vulnerability was identified in Kiwi, a popular test management system. This vulnerability, assigned with the identifier CVE-2022-4105, involves a stored Cross-Site Scripting (XSS) attack, which, if exploited, can lead to serious consequences.

In this post, we will delve into the details of CVE-2022-4105, its impacts, and how it can be chained with multiple injection techniques to perform a User Interface redressing attack (commonly known as Clickjacking) and disable the use of the history page. The aim of this post is to raise awareness about this security vulnerability, its potential damage, and the steps required to mitigate its risks.

Exploit Details

A stored XSS in a Kiwi Test Plan provides an attacker with the ability to inject and execute malicious JavaScript code. This is particularly dangerous since it allows the attacker to assume control over a user's session, thus gaining unauthorized access to sensitive information and performing privileged actions.

For instance, an attacker could inject the following JavaScript code snippet into a test plan description:

<script>
  // Insert malicious JavaScript code here
</script>

This code would then be stored, and when a user accesses the test plan, their browser will execute the malicious JavaScript.

Original Reference

The original security vulnerability report can be found on the CVE database here.

Chaining with HTML Injection for UI Redressing

The stored XSS vulnerability can be combined with an HTML injection to launch a Clickjacking attack in which a malicious link is disguised as a legitimate button or other user interface element. This type of attack aims to deceive the user into clicking on the malicious link, potentially leading to unintended actions executed in the context of the user's current authenticated session.

An HTML injection to chain with the stored XSS might look like this

<iframe src="https://example.com/malicious-page"; width="" height="" style="opacity: ;"></iframe>

Once the HTML injection has been combined with the stored XSS, the attacker can craft a malicious webpage that replicates the legitimate Kiwi interface. The innocent user would be unaware of the malicious actions happening behind the scenes when interacting with the seemingly legitimate interface.

Disable Use of History Page

The stored XSS can also be chained with an HTML injection that disables the use of the history page. By leveraging this technique, the attacker can impede the user's ability to view their activity log, providing cover for any harmful actions being performed by the attacker. Here is an example of an HTML injection that achieves this:

<base href="" target="_blank" rel="noreferrer noopener">

Mitigation

To protect themselves from this security vulnerability, users of Kiwi should update to the latest version of the software as soon as possible. Maintainers of Kiwi have released an updated version that addresses this security issue. In addition, users should be cautious when following links or clicking on elements within the application and should verify the integrity of the destination before interacting with it.

In summary, CVE-2022-4105 serves as a reminder of the importance of timely updates and security-aware development practices. By keeping software up-to-date, users can greatly reduce the risk of falling victim to such attacks while preserving the integrity of their data and systems.

Timeline

Published on: 11/21/2022 20:15:00 UTC
Last modified on: 11/23/2022 18:25:00 UTC