Web attack vector closed after failed fix
Gartner has patched a DOM XSS vulnerability found in the Peer Insights widget, a security bug researchers reckon dates back to the original development of the software.
In a technical write-up of the flaw, penned by Justin Steven, the software security researcher said that “many websites” were made vulnerable to DOM-based cross-site scripting (XSS) when the widget was present.
Catch up on the latest security research-related news and analysis
The Gartner Peer Insights widget is a marketing tool described as “an aggregated, real-time view of a vendor’s review and ratings in a particular market on Gartner Peer Insights” that industry vendors are invited to host on their site to add market “credibility and drive conversions”.
When a website uses the Gartner widget, it sources widget.js from gartner.com and then creates an event listener for postMessage messages before creating a div for the widget to be displayed in.
A hidden iframe pointed at the Gartner.com domain requests a specific page from gartner.com which would send a postMessage message to the patent page. This message data would be used in constructing HTML content to be populated into the widget’s content div via a function called innerHTML.
Substring shenanigans
Verification occurs through a check for the string “gartner.com” appearing in the origin of the sending website. However, the check could be bypassed by launching an attack from a website such as https://gartner.com.attacker.com, as this still would meet the substring criteria.
Furthermore, the researcher described innerHTML as a DOM XSS “sink” as several XSS triggers would fire upon injection. For example, if a victim visited a malicious website, a crafted message could be pushed via window.postMessage().
“This crafted message could have injected active content, executing arbitrary JavaScript in the context of the website,” Steven said. ”This could have allowed the malicious website to violate the confidentiality and integrity of user data held in the context of the victim site, and allowed it to display arbitrary and harmful content such as a phishing form.”
The attack doesn’t involve sending traffic to the victim website or gartner.com. Instead, this is a client-side attack taking place within a browser window.
Proof-of-Concept (PoC) code, exploit test pages, and a YouTube video demonstrating the bug are now public. Websites previously impacted included Black Kite, Gradle, LogRhythm, SentinelOne, Synopsys, Veeam, and Vodafone, among others.
Steven analyzed code from 2022, but after examining an archived version of the widget said, “it appears to have been vulnerable to the DOM XSS issue from its inception”.
Patch and patch again
Gartner was notified about the problem on November 4, 2022. Four days later, the analyst firm acknowledged the report and asked if the researcher would like to submit the problem to its private bug bounty program on HackerOne.
BACKGROUND Learn about DOM-based XSS on the Web Security Academy
A tactical fix was released on December 19, followed by a “complete repair” in January. However, Steven provided evidence that these initial patches could be bypassed. So, new fixes were released on January 26 and February 2 to resolve the DOM XSS.
Steven said he wished to post his work as a public advisory. However, Gartner said a bug bounty would not be offered if the research was “publicly disclosed outside the HackerOne program”, and therefore, the researcher declined the offer of a bug bounty, leading to public disclosure on February 3.
Magic quadrant
Speaking to The Daily Swig, Steven said that organizations should consider conducting frequent security reviews of third-party, front-end JavaScript code, which includes widgets, analytics code, trackers, ads, customer support chat, and other functions. Alternatively, they should seek assurance about their vendor’s security process.
In any case, the integrity of existing code and risk factors should be considered when implementing new front-end features, according to Steven.
The Daily Swig has reached out to Gartner and we will update this story if and when we hear back.
YOU MAY ALSO LIKE XSS Hunter reborn with added features including CORS misconfig detection