[20.98.103.245] Cross-Site Scripting (XSS) via /ssl-vpn/getconfig.esp at GlobalProtect VPN Portal

## Disclaimer This vulnerability was detected using **[XBOW](https://xbow.com/)**, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports. This GlobalProtect vulnerability is owned and was originally discovered by XBOW. All details must remain confidential, and the technique must not be disclosed or used without our prior consent. Our team is currently collaborating with Palo Alto Networks to address this vulnerability (tracking ID PAN-287002). ## Description A Cross-Site Scripting (XSS) vulnerability was discovered in the GlobalProtect VPN portal's getconfig.esp endpoint. The vulnerability exists because the application reflects user input from the `user` parameter in an XML response without proper sanitization. The application accepts and reflects user input within XML tags, and while it maintains XML structure, it fails to properly encode or sanitize potentially malicious content. This allows an attacker to inject SVG elements with JavaScript event handlers that execute when the XML document is rendered in a browser. This vulnerability is particularly concerning because it affects a VPN portal, which is a critical security component that typically handles sensitive authentication and access control functions. The ability to execute arbitrary JavaScript in this context could lead to credential theft, session hijacking, or other attacks against VPN users. ## Steps to Reproduce Note: This IP address is used by informatica for VPN access. Looking at the certificates we see references to: ``` vpn.informatica.com, asgw.informatica.com, ingw.informatica.com, eugw.informatica.com, nygw.informatica.com, spgw.informatica.com, augw.informatica.com, aulabgw.informatica.com, vpn-test.informatica.com, rcgw.informatica.com, tsgw.informatica.com, npgw.informatica.com, dbgw.informatica.com, mhgw.informatica.com, nlgw.informatica.com, stgw.informatica.com, pagw.informatica.com, mxgw.informatica.com, sugw.informatica.com, mlgw.informatica.com, tkgw.informatica.com, sggw.informatica.com, sygw.informatica.com, hygw.informatica.com, hkgw.informatica.com, blgw.informatica.com, vpn.geo.informatica.com, vpn-test.geo.informatica.com, vpdn.informatica.com, vpdngw.informatica.com, invpdgw.informatica.com, mbgw.informatica.com, cegw.informatica.com, krgw.informatica.com, euvdcgw.informatica.com ``` so this we believe this might be interesting for the customer. 1. Access the GlobalProtect VPN portal at /ssl-vpn/getconfig.esp 2. Add the user parameter to the URL with a specially crafted SVG payload: ``` https://20.98.103.245/ssl-vpn/getconfig.esp?client-type=1&protocol-version=p1&app-version=3.0.1-10&clientos=Linux&os-version=linux-64&hmac-algo=sha1%2Cmd5&enc-algo=aes-128-cbc%2Caes-256-cbc&authcookie=12cea70227d3aafbf25082fac1b6f51d&portal=us-vpn-gw-N&user=%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Cscript%3Eprompt%28%22XSS%22%29%3C%2Fscript%3E%3C%2Fsvg%3E&domain=%28empty_domain%29&computer=computer ``` 3. Observe that when the page loads, the JavaScript code in the onload attribute executes, triggering an alert dialog. When these steps are followed, the payload is reflected in the XML response and executed by the browser, demonstrating the successful exploitation of the XSS vulnerability. ## Mitigations - Implement proper XML encoding for all user-supplied data before including it in XML responses - Add Content Security Policy (CSP) headers to restrict script execution and prevent JavaScript event handlers - Validate and sanitize all input parameters, particularly those that appear in XML responses - Consider implementing a whitelist of allowed values for the `user` parameter ## Impact The vulnerability allows an attacker to execute arbitrary JavaScript code in the context of the GlobalProtect VPN portal. This could lead to theft of user credentials, session tokens, or other sensitive information processed by the VPN portal. The attack requires no special privileges and can be triggered by any user who can access the getconfig.esp endpoint.