IBM Watson SaaS Infrastructure Vulnerability

I recently found a couple of vulnerabilities in the SaaS cloud computing infrastructure of IBM Watson. After reporting the issue on the IBM PSIRT website and working with them to fix the issue, IBM replied with the following:

“Thanks for confirming that the issue has been fixed. Because this is a SaaS offering, we will not be publishing and acknowledging via security bulletin. However please know that we appreciate your cooperation and the effort to inform us of the vulnerability.”

Anyway, I have included the advisory below for anyone who is interested. It is interesting to see that trivial vulnerabilities like these are still in the wild.

# Vulnerability type: Cross-site Scripting & Redirect  
# Vendor: www.ibm.com
# Product: IBM Watson Cloud Computing SaaS (Cognea)
# Product Link: http://www.ibm.com/smarterplanet/us/en/ibmwatson/
# Credit: Jerold Hoong

The logout.jsp page function of the IBM Watson SaaS application is vulnerable 
to reflected XSS and redirect attacks. The value of the Referer HTTP header
is directly referenced by the logout.jsp page and echoes the input unmodified
in to the application’s response.

# PROOF OF CONCEPT (XSS)

- Sample URL: http://127.0.0.1/test/logout.jsp
- Parameter: Referer HTTP header
- Payload: javascript:alert('XSS')//

# PROOF OF CONCEPT (Redirect)

The logout.jsp page is vulnerable to unauthorised redirects.

- Sample URL: http://127.0.0.1/test/logout.jsp
- Parameter: Referer HTTP header
- Payload: http://malicious-site.com/

# TIMELINE
- 16/04/2015: Vulnerability found
- 17/04/2015: Vendor informed
- 18/04/2015: Vendor responded and acknowledged
- 03/06/2015: Vendor fixed the issue
- 04/06/2015: Public disclosure

Sample XSS screenshot:
IBM-Watson

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s