Prevent JavaScript injection in Operations Manager 2016 web console

View products that this article applies to.

Problem description

Missing input validation and output encoding allows JavaScript injection, leading to Reflected Cross Site Scripting (XSS).

Reflected Cross Site Scripting may be used to inject arbitrary JavaScript to the Microsoft System Center 2016 authenticated page. One may intercept the below GET request and modify the SpaceID to inject arbitrary strings into the left navigation pane of the web console.

GET/OperationsManager/InternalPages/NavigationTree.aspx?SpaceId=1002&ViewId=Favorites_Overview HTTP/1.1

Here is an example of an arbitrary string:

abc%3E%3C","00000000-0000-0000-0000-000000000000");alert(1);//%3E

A malicious JavaScript, once injected, can modify the current behavior of the page and deliver: trojans, force malicious redirections, content spoofing, keyloggers, content leakage, VIEWSTATE and validators’ tokens leakage (defeating anti-CSRF controls), etc.

↑ Back to the top

The attack constitutes of the following steps

An attacker crafts a specific authenticated GET request of System Center with XSS payload and either tricks the victim to access the special URL or tricks the user to access a phishing scam that triggers the specific request.
The authenticated victim loads/reloads the homepage.

Note: The attack is applicable to any viewID value and every request with SpaceID query string parameter.

↑ Back to the top

Test case

Expected result: Invalid SpaceID error or empty pane and no execution of random JavaScript

Outcome: Arbitrary JavaScript executed.

↑ Back to the top

Resolution

Implement strict input validation. Only integers are accepted as SpaceID, so the data type check against the input is sufficient to remediate the vulnerability.

We have added a check to ensure that the SpaceID is a supported value only (1001 and 1002), else the data in the tree is empty.

↑ Back to the top