Background
EasyXDM is a JavaScript library that enables cross-domain communication between different web applications by providing a consistent API and handling various browser differences.
During a routine code security review, we discovered cross-site scripting and arbitrary redirection vulnerabilities that stems from the library's dependence on query string parameters to decide its communication states.
Responsible Disclosure
Through our responsible disclosure process, we notified the library's author and submitted a CVE request. In response, the author archived the GitHub repository and put up the following notice:
Warning This repository is not actively maintained as the services it provides is supported natively by all browsers.
We also reached out to nFusion and additional organizations that integrated this vulnerable and now unsupported library into thier products.
nVusion responded that they were forwarding the issue to their support team on 17 May 2023 but received no further communication. On 30 October 2023, we confirmed that nFusion had implemented an alternative library and was no longer vulnerable. As of 27 November 2023, have have still not heard back from them and no changes are in their changelog.
We mitigated this vulnerability for all affected ThreeShield clients before public disclosure.
Issue Description
The issue in EasyXDM occurs because the library decides its communication states when the web application loads and parses the query string parameters. This design allows users to manipulate the query string parameters and potentially exploit the system in several ways to effect an arbitrary redirection, cross-site scripting, iframe tampering, or origin manipuation against users who may trust the domain.
Arbitrary Redirection
The most critical issue is that users can manipulate the query string parameters to cause an instant redirection when the page is loaded. This vulnerability could be exploited for phishing attacks, redirecting users to malicious websites, or stealing sensitive information.
Proof of concept:
https://provider.easyxdm.net/current/example/widget.html?xdm_e=https://threeshield.ca/blog&xdm_c=0&xdm_p=0&xdm_pa=0#.
In case the above is removed, we have archived it at https://examples.threeshield.net/easyxdm/easyxdmarchive.html?xdm_e=https://threeshield.ca/blog&xdm_c=0&xdm_p=0&xdm_pa=0#.
Iframe tampering
If a web application uses the postMessage transportation method, that means it has an iframe. users can manipulate the query string parameters to change the iframe's origin. This could result in unauthorized access to resources from the manipulated origin. This is a particular concern for credit card skimming, given that many sites with PCI SAQ A use iframes for credit card processing.
Cross-site scripting (XSS)
This requires multiple conditions and unlikely, but if a user can control the origin of an iframe when the EasyXDM state is set to postMessage, they can potentially exploit this to perform a cross-site scripting (XSS) attack. By opening the manipulated origin in one tab and the target site in another, an attacker can control the messaging between the two pages. Once the victim is lured to the attacker's site, the attacker can use this vulnerability to execute malicious scripts within the context of the target site, potentially gaining unauthorized access to sensitive data or compromising the user's interaction with the web application.
Origin Manipulation
Users can modify the query string parameters to choose the origin that EasyXDM accepts. This is mainly an issue in the postmessage state, where postmessages of unintended origin will be accepted. However, this is an intended design and not a likely issue but could still lead to unintended security issues as it grants control over accepted origins to users.
Suggested Mitigations
Sign parameters:
Use an HMAC or other signature for parameters and return a 403 or other error if the signature doesn't match.
Implement origin allowlist:
Restrict communication to a predefined list of trusted origins to prevent unauthorized access and iframe tampering.
Check if window!=window.top or window.parent.frames.length > 0
Checking if the window is in an iframe could prevent redirection within an iframe.
To completely prevent the redirect:
Remove or comment out the code that does the redirection:
line 58 of easyXDM/src/stack/HashTransport.js
line 1005 of ajax/libs/easyXDM/2.4.20/easyXDM.min.js
What our clients say about ThreeShield
CTO, Tilia Inc. (Financial Technology and Online Payments)
" ThreeShield has employed a dynamic, risk-based approach to information security that is specific to our business needs but also provides comfort to our external stakeholders. I recommend their services. "
IT Architect, Financial Technology and Online Retail
" Collaborating with ThreeShield to ensure data security was an exciting and educational experience. As we exploded in growth, it was clear that we needed to rapidly mature on all fronts, and ThreeShield was integral to building our confidence with information, software, and infrastructure security. "
IT Security Director, Linden Lab (Virtual Reality)
" ThreeShield helped us focus our efforts, enhancing our security posture and verifying PCI compliance.
All of this was achieved with minimal disruption to the engineering organization as a whole.
The approach was smart. In a short time, we accomplished what much larger companies still struggle to achieve. "
Senior Director of Systems and Build Engineering
" ThreeShield very much values active and respectful collaboration, and went out of their way to get feedback on policies to make sure proposals balanced business needs while not making employees feel like they were dealing with unreasonable overhead. By doing so ThreeShield really helped change the culture around security mindfulness is positive ways. "
Popular Technical Articles
29 January 2024
13 February 2023
2 February 2023
16 January 2023
26 March 2021