The vulnerability (CVE-2017-1500) lingered in the products, Worklight and MobileFirst, for almost a year. Gabriele Gristina, a security consultant for the Italian information security firm Emaze Networks, first found the bug last summer, on August 29, 2016.
Gristina found the vulnerability, technically a reflected XSS in the products’ OAuth Server’s Web API, while performing a penetration test on a mobile app. The app he was pentesting didn’t have any bugs, but he was surprised when he encountered a vulnerability in the framework itself.
“Generally I always find many security issues in every ‘target,’” Gristina told Threatpost, “When I tested this mobile application I found minor issues and I did not believe it so I started to fuzz the IBM security framework and after a little while I found the XSS vulnerability.”
The app was written using MobileFirst, a mobile application development platform formerly known as Worklight, made by IBM. The product lets developers build apps, see how they look on different devices, and manage how push notifications from the apps are sent to devices.
The problem, Gristina says, is that the framework didn’t properly validate the untrusted input in a GET parameter present in an authorization function exposed by the RESTful web API.
“In detail the logout functionality return a HTTP 403 Forbidden if the value of the ‘scope’ parameter is not defined in the ‘authenticationConfig.xml’ and reflect it without a proper validation in the response body,” Gristina wrote in a disclosure – accompanied by a proof-of-concept – on Wednesday.
The researcher adds that exploiting the vulnerability would be relatively easy, an attacker would just have to append a payload to the original value present in the GET parameter “scope.”