CVE-2023-32193 - Unauthenticated Cross-Site Scripting (XSS) in Norman’s Public API—Explained with Exploit Example

In early 2023, security researchers uncovered CVE-2023-32193, a serious vulnerability in Norman’s public API. This bug allows unauthenticated attackers to inject malicious JavaScript on websites or services utilizing the Norman API. In this article, we’ll break down how this XSS vulnerability works, provide a demonstration of the exploit with code, and share the references for further reading.

What is CVE-2023-32193?

CVE-2023-32193 is an unauthenticated, reflected XSS vulnerability present in an endpoint of Norman’s public API. This means someone does not need to log in or possess any credentials—they only need to know how to craft a specific request.

By exploiting this flaw, an attacker can run JavaScript in a victim’s browser, potentially leading to:

How Does the Vulnerability Work?

The Norman API endpoint accepts user input and returns it directly in the response without properly escaping or filtering out dangerous characters. Attackers can input JavaScript code, and that code will be executed in the context of the user’s browser.

For example, an API endpoint like the following would be at risk

GET /api/public?query=YOUR_INPUT_HERE

If the endpoint’s response includes "YOUR_INPUT_HERE" in HTML or JavaScript on the page, it’s vulnerable.

Imagine the following vulnerable example

// Backend (Node.js / Express example)
app.get('/api/public', (req, res) => {
    const userInput = req.query.query;
    // UNSAFE: Directly includes user input in the response
    res.send(<html><body>Query: ${userInput}</body></html>);
});

Now, an attacker creates a malicious link

https://your-norman-site.com/api/public?query=<script>alert('XSSed')</script>;

When a victim clicks this link, the server’s response becomes

<html>
  <body>Query: <script>alert('XSSed')</script></body>
</html>

This pops up an alert box (alert('XSSed')) in the user’s browser, showing that JavaScript (which could be *anything*) has executed.

`html

`html

`html

`

Because this endpoint is unauthenticated, an attacker only needs to trick a victim into clicking a link (or make them visit a page with an auto-loading request).

How to Fix CVE-2023-32193

For Developers:

Example Fix (Escaping Input)

const escapeHtml = (unsafe) => 
  unsafe.replace(/[&<>"']/g, m => ({
    '&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#39;'
  }[m]));

app.get('/api/public', (req, res) => {
    const userInput = escapeHtml(req.query.query || '');
    res.send(&lt;html&gt;&lt;body&gt;Query: ${userInput}&lt;/body&gt;&lt;/html&gt;);
});

CVE Record:

https://nvd.nist.gov/vuln/detail/CVE-2023-32193

Official Norman Security Advisory:

https://security.norman.com/advisories/CVE-2023-32193 (if available)

OWASP XSS Guide:

https://owasp.org/www-community/attacks/xss/

Closing Thoughts

Vulnerabilities like CVE-2023-32193 show how a simple mistake in input handling can have serious security consequences. As more software exposes public APIs, it’s crucial to always validate and properly handle all user-supplied data. If you’re using Norman’s product, be sure to patch to the latest version and review your application for similar issues.

Timeline

Published on: 10/16/2024 13:15:12 UTC
Last modified on: 10/16/2024 16:38:14 UTC