Cross-site scripting vulnerability found in Oracle Integration Cloud
In November 2023, while conducting a security assessment on a client’s instance of the Oracle Integration Cloud Platform, I discovered a medium severity vulnerability nestled within the handling of the “consumer_url” URL parameter. This flaw unveiled a Cross-Site Scripting (XSS) vector that could be exploited by a user with malicious intent. This vulnerability was disclosed to the vendor immediately to afford them the necessary time to address and rectify the issues, in accordance with our responsible disclosure policy.
The vulnerability has since been resolved as of 2024-07-16 by Oracle, according to their patch update here Oracle Critical Patch Update Advisory – July 2024.
What is Oracle Integration Cloud (OIC)?
OIC is a cloud-based integration platform designed to facilitate connections between diverse applications and systems within and between organizations. It offers a visual development interface, allowing users to create, deploy, and manage integrations without extensive coding expertise. An XSS vulnerability not only poses a risk to the security of OIC but also introduces the potential for disruption in the data flow between the interconnected systems. This could result in disruptions to critical business processes, thereby compromising the overall reliability of the integrated ecosystem.
The specific vulnerability, as mentioned earlier, resides in the “consumer_url” parameter which is utilized by multiple pages on the platform. After experimenting with and configuring several integrations within the platform, my attention was drawn to the URLs and their parameters, specifically this URL query parameter as it seemed to be used a lot within the application.
Unfortunately, my first attempts to mess with this parameter did not succeed as the webpage’s backend was correctly sanitizing all data it received. So, I took a short break, grabbed a cup of coffee, and then started digging into the JavaScript on the webpage.
Investigating the vulnerability
While exploring one of the accessible integrations, I modified the parameter value for “consumer_url” to “javascript:alert(24)” (a well-known XSS payload for href attributes). Initially, there was no immediate impact upon loading the page. However, when trying to close the integration, the alert unexpectedly triggered. Although identified as a vulnerability, the need for a valid integration ID in the URL adds a layer of complexity to its exploitation. Successfully leveraging this vulnerability would require the attacker to possess specific knowledge of the integration ID, making it a non-trivial task.
Upon further investigation, I discovered a much neater attack vector. The page for creating a new integration, found at https://<instanceid>.integration.ocp.oraclecloud.com/ic/integration/home/faces/link?page=integration&consumer_url=<payload>, did not require any other parameters. This meant that an attacker would only need to identify the instance-id of the specific integration platform to send a functional payload to any user of the platform. Consequently, the attacker could bypass the requirement of knowing a specific integration ID, which is typically accessible only to logged-in users.
After confirming this finding with the rest of the team, and writing a responsible disclosure, I sent it away to Oracle Security Alerts. They quickly responded, confirming the vulnerability and that a fix was on its way.
The long waiting game: A few months later
Oracle took a total of around eight months to resolve the vulnerability, and only updated us after we reminded them of our disclosure policy (which states anything taking longer than 90 days will be disclosed). While we are pleased to see a fix deployed, it’s imperative to highlight the protracted timeline that large vendors are currently operating under.
This extended delay not only puts systems at prolonged risk but also undermines trust in the responsiveness and security commitment of major software providers. Such lengthy resolution times can have significant implications for organizations relying on these vendors, as they are left vulnerable to potential exploitation during the interim period.
Mitigate vulnerabilities with web application security testing
To mitigate XSS attacks, you need to validate inputs, employ output encoding, and if possible, enforce a secure Content Security Policy. Use secure session management and HTTP Only/Secure flags for cookies. For DOM-based XSS specifically, implement client-side validation, safe DOM manipulation, and context-aware encoding.
To strengthen your web application’s overall security, regular pen testing is the best route. Outpost24’s pen testing as a service solution, SWAT, delivers continuous monitoring of internet facing web applications via a SaaS delivery model. Unlike automated testing, our advanced pen testing services, and highly skilled pen testers, provide custom and in-depth analysis to uncover severe vulnerabilities that automated scanners have routinely missed. Speak to an expert to arrange a live demo for your organization.
About Ghost Labs
Ghost Labs is the specialist security unit within Outpost24 working in partnership with our clients to meet their penetration testing needs and objectives. Our experienced Offensive Security team offers enhanced and bespoke penetration testing security services such as advanced network penetration testing, (web)application testing, Red Teaming assessments and complex web application exploitation to help organizations have a true picture of their cyber risk. In addition, the Ghost Labs team is an active contributor to the security community with vulnerability research and coordinated responsible disclosure program.
Ghost Labs performs hundreds of successful penetration tests for its customers ranging from global enterprises to SMEs. Our team consists of highly skilled ethical hackers, covering a wide range of advanced testing services to help companies keep up with evolving threats and new technologies. To help businesses drive security maturity and mitigate risks posed by the evolving threat and techniques of the modern-day hacker.