Web attack vector closed after failed fix
Gartner has patched a DOM XSS vulnerability found in the Peer Insights widget, a security bug researchers reckon dates back to the original development of the software.
In a technical write-up of the flaw, penned by Justin Steven, the software security researcher said that “many websites” were made vulnerable to DOM-based cross-site scripting (XSS) when the widget was present.
The Gartner Peer Insights widget is a marketing tool described as “an aggregated, real-time view of a vendor’s review and ratings in a particular market on Gartner Peer Insights” that industry vendors are invited to host on their site to add market “credibility and drive conversions”.
When a website uses the Gartner widget, it sources widget.js from gartner.com and then creates an event listener for postMessage messages before creating a div for the widget to be displayed in.
A hidden iframe pointed at the Gartner.com domain requests a specific page from gartner.com which would send a postMessage message to the patent page. This message data would be used in constructing HTML content to be populated into the widget’s content div via a function called innerHTML.
Verification occurs through a check for the string “gartner.com” appearing in the origin of the sending website. However, the check could be bypassed by launching an attack from a website such as https://gartner.com.attacker.com, as this still would meet the substring criteria.
Furthermore, the researcher described innerHTML as a DOM XSS “sink” as several XSS triggers would fire upon injection. For example, if a victim visited a malicious website, a crafted message could be pushed via window.postMessage().
The attack doesn’t involve sending traffic to the victim website or gartner.com. Instead, this is a client-side attack taking place within a browser window.
Proof-of-Concept (PoC) code, exploit test pages, and a YouTube video demonstrating the bug are now public. Websites previously impacted included Black Kite, Gradle, LogRhythm, SentinelOne, Synopsys, Veeam, and Vodafone, among others.
Steven analyzed code from 2022, but after examining an archived version of the widget said, “it appears to have been vulnerable to the DOM XSS issue from its inception”.
Patch and patch again
Gartner was notified about the problem on November 4, 2022. Four days later, the analyst firm acknowledged the report and asked if the researcher would like to submit the problem to its private bug bounty program on HackerOne.
A tactical fix was released on December 19, followed by a “complete repair” in January. However, Steven provided evidence that these initial patches could be bypassed. So, new fixes were released on January 26 and February 2 to resolve the DOM XSS.
Steven said he wished to post his work as a public advisory. However, Gartner said a bug bounty would not be offered if the research was “publicly disclosed outside the HackerOne program”, and therefore, the researcher declined the offer of a bug bounty, leading to public disclosure on February 3.
In any case, the integrity of existing code and risk factors should be considered when implementing new front-end features, according to Steven.
The Daily Swig has reached out to Gartner and we will update this story if and when we hear back.
YOU MAY ALSO LIKE XSS Hunter reborn with added features including CORS misconfig detection