CVE Description

The BeyondTrust Secure Remote Access Base (versions up to 6.0.1) contains a Cross-Site Scripting (XSS) vulnerability that allows remote attackers to inject arbitrary web scripts or HTML. This vulnerability arises due to improper input validation in the application's login functionality.

By exploiting this vulnerability, an attacker can manipulate the user’s session and execute malicious scripts within the victim’s browser.

XSS Description

Cross-site scripting (XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It enables an attacker to circumvent the same-origin policy, which is designed to segregate different websites from each other.

XSS vulnerabilities allow an attacker to:

  • Masquerade as a victim user
  • Carry out actions that the user can perform
  • Access the user's data
  • If the victim has privileged access, the attacker can take full control over the application's functionality and data

Steps to Identify

  1. Perform spidering or crawling to gather application URLs.
  2. Check if the application has the following path: /appliance/login.ns.
  3. Identify the password parameter in login requests: ?login[password]=.
  4. Inject an XSS payload into the password parameter:

  test"><svg/onload=alert("poc_by_karthithehacker")>
  1. Observe if an alert pop-up appears—if yes, the application is vulnerable to XSS.

Impact

Successful exploitation of this vulnerability can lead to severe security risks, including:

  • Session Hijacking: An attacker can steal session cookies, gaining unauthorized access to a victim's account.
  • Data Theft: Sensitive user data, including login credentials and personal details, can be extracted.
  • Defacement: The attacker may modify web content, leading to misinformation or reputational damage.
  • Privilege Escalation: If an administrator account is compromised, an attacker could gain full control over the application.

Steps to Automation

  1. Obtain a list of live domains.
  2. Save all the URLs into a text file.
  3. Use the CVE-2021-31589 tool for automation.
  4. Install the tool using the command:

  npm install cve-2021-31589 -g
  cve-2021-31589 -h

Remediation

To mitigate this vulnerability, apply the following security best practices:

  • Update to the Latest Version: Upgrade BeyondTrust Secure Remote Access Base to the latest patched version.
  • Implement Proper Input Validation: Sanitize user inputs to remove special characters and prevent script execution.
  • Use Content Security Policy (CSP): Restrict the execution of unauthorized scripts in the browser.
  • Enable HTTPOnly and Secure Cookies: Prevent session hijacking by ensuring cookies are protected from JavaScript access.

PoC Video

Thanks for reading! If you found this useful, feel free to share it with your fellow hunters. Happy hacking!