[RESOLVED] XSS + bge.com (Baltimore Gas & Electric)

[therube]

XSS + bge.com (Baltimore Gas & Electric)

OK now I've been bit.

(Login required.)
Starting from here, username only: http://www.bge.com/myaccount/pages/default.aspx
You're passed to here, password only:

Code: Select all

https://corpsts.constellation.com/adfs/ls/?wa=wsignin1.0&wtrealm=urn%3awww.bge.com%3aadfs&wauth=urn%3aoasis%3anames%3atc%3aSAML%3a1.0%3aam%3apassword&wctx=%2fPages%2fRedirect1.aspx&uid=xxxxxxxxxxx%3d&e=1

At which point you click the SIGN IN button.

At that point I'm "looping" (at least I'm seeing transferring data ... between bge.com & constellation.com), with the XSS warning bar alternatively displaying, then not, then again, & CPU using 50% (100% of 1 of 2 cores) & that's all I can get. (Earlier I did get "logged in", but was left with an error message on the page, & the site was inoperable.)

This is going to be a recent change, from no more then 1 month ago.

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in ##<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust"><t:Lifetime><wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2012-07-27T15:45:07.596Z</wsu:Created><wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2012-07-27T16:25:07.596Z</wsu:Expires></t:Lifetime><wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>urn:www.bge.com:adfs</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><t:RequestedSecurityToken><saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_963fbc99-43e5-4754-9e8c-a1c92c1a30d1" Issuer="http://corpsts.constellation.com/adfs/services/trust" IssueInstant="2012-07-27T15:45:07.611Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:Conditions NotBefore="2012-07-27T15:45:07.596Z" NotOnOrAfter="2012-07-27T16:25:07.596Z"><saml:AudienceRestrictionCondition><saml:Audience>urn:www.bge.com:adfs</saml:Audience></saml:AudienceRestrictionCondition></saml:Conditions><saml:AttributeStatement><saml:Subject><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject><saml:Attribute AttributeName="windowsaccountname" AttributeNamespace="http://schemas.microsoft.com/ws/2008/06/identity/claims"></saml:Attribute><saml:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"><saml:AttributeValue>myemailaddr@mochamail.com</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="groupsid" AttributeNamespace="http://schemas.microsoft.com/ws/2008/06/identity/claims"><saml:AttributeValue>Aries Users</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="2012-07-27T15:43:25.799Z"><saml:Subject><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_963fbc99-43e5-4754-9e8c-a1c92c1a30d1"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /></ds:Reference></ds:SignedInfo><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><X509Data></X509Data></KeyInfo></ds:Signature></saml:Assertion></t:RequestedSecurityToken><t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType><t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType><t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType></t:RequestSecurityTokenResponse>

Code: Select all

[NoScript XSS] Sanitized suspicious upload to [https://www.bge.com/_trust/###DATA###%3Ct%3ARequestSecurityTokenResponse+xmlns%3At%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%22%3E%3Ct%3ALifetime%3E%3Cwsu%3ACreated+xmlns%3Awsu%3D%22http%3A%2F%2Fdocs.oasis-open.org%2Fwss%2F2004%2F01%2Foasis-200401-wss-wssecurity-utility-1.0.xsd%22%3E2012-07-27T15%3A45%3A07.596Z%3C%2Fwsu%3ACreated%3E%3Cwsu%3AExpires+xmlns%3Awsu%3D%22http%3A%2F%2Fdocs.oasis-open.org%2Fwss%2F2004%2F01%2Foasis-200401-wss-wssecurity-utility-1.0.xsd%22%3E2012-07-27T16%3A25%3A07.596Z%3C%2Fwsu%3AExpires%3E%3C%2Ft%3ALifetime%3E%3Cwsp%3AAppliesTo+xmlns%3Awsp%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2004%2F09%2Fpolicy%22%3E%3Cwsa%3AEndpointReference+xmlns%3Awsa%3D%22http%3A%2F%2Fwww.w3.org%2F2005%2F08%2Faddressing%22%3E%3Cwsa%3AAddress%3Eurn%3Awww.bge.com%3Aadfs%3C%2Fwsa%3AAddress%3E%3C%2Fwsa%3AEndpointReference%3E%3C%2Fwsp%3AAppliesTo%3E%3Ct%3ARequestedSecurityToken%3E%3Csaml%3AAssertion+MajorVersion%3D%221%22+MinorVersion%3D%221%22+AssertionID%3D%22_963fbc99-43e5-4754-9e8c-a1c92c1a30d1%22+Issuer%3D%22http%3A%2F%2Fcorpsts.constellation.com%2Fadfs%2Fservices%2Ftrust%22+IssueInstant%3D%222012-07-27T15%3A45%3A07.611Z%22+xmlns%3Asaml%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A1.0%3Aassertion%22%3E%3Csaml%3AConditions+NotBefore%3D%222012-07-27T15%3A45%3A07.596Z%22+NotOnOrAfter%3D%222012-07-27T16%3A25%3A07.596Z%22%3E%3Csaml%3AAudienceRestrictionCondition%3E%3Csaml%3AAudience%3Eurn%3Awww.bge.com%3Aadfs%3C%2Fsaml%3AAudience%3E%3C%2Fsaml%3AAudienceRestrictionCondition%3E%3C%2Fsaml%3AConditions%3E%3Csaml%3AAttributeStatement%3E%3Csaml%3ASubject%3E%3Csaml%3ASubjectConfirmation%3E%3Csaml%3AConfirmationMethod%3Eurn%3Aoasis%3Anames%3Atc%3ASAML%3A1.0%3Acm%3Abearer%3C%2Fsaml%3AConfirmationMethod%3E%3C%2Fsaml%3ASubjectConfirmation%3E%3C%2Fsaml%3ASubject%3E%3Csaml%3AAttribute+AttributeName%3D%22windowsaccountname%22+AttributeNamespace%3D%22http%3A%2F%2Fschemas.microsoft.com%2Fws%2F2008%2F06%2Fidentity%2Fclaims%22%3E%3Csaml%3AAttributeValue%3Emyemailadr%3C%2Fsaml%3AAttributeValue%3E%3C%2Fsaml%3AAttribute%3E%3Csaml%3AAttribute+AttributeName%3D%22emailaddress%22+AttributeNamespace%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%22%3E%3Csaml%3AAttributeValue%3Emyemailadr%40mochamail.com%3C%2Fsaml%3AAttributeValue%3E%3C%2Fsaml%3AAttribute%3E%3Csaml%3AAttribute+AttributeName%3D%22groupsid%22+AttributeNamespace%3D%22http%3A%2F%2Fschemas.microsoft.com%2Fws%2F2008%2F06%2Fidentity%2Fclaims%22%3E%3Csaml%3AAttributeValue%3EAries+Users%3C%2Fsaml%3AAttributeValue%3E%3C%2Fsaml%3AAttribute%3E%3C%2Fsaml%3AAttributeStatement%3E%3Csaml%3AAuthenticationStatement+AuthenticationMethod%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A1.0%3Aam%3Apassword%22+AuthenticationInstant%3D%222012-07-27T15%3A43%3A25.799Z%22%3E%3Csaml%3ASubject%3E%3Csaml%3ASubjectConfirmation%3E%3Csaml%3AConfirmationMethod%3Eurn%3Aoasis%3Anames%3Atc%3ASAML%3A1.0%3Acm%3Abearer%3C%2Fsaml%3AConfirmationMethod%3E%3C%2Fsaml%3ASubjectConfirmation%3E%3C%2Fsaml%3ASubject%3E%3C%2Fsaml%3AAuthenticationStatement%3E%3Cds%3ASignature+xmlns%3Ads%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23%22%3E%3Cds%3ASignedInfo%3E%3Cds%3ACanonicalizationMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2F10%2Fxml-exc-c14n%23%22+%2F%3E%3Cds%3ASignatureMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256%22+%2F%3E%3Cds%3AReference+URI%3D%22%23_963fbc99-43e5-4754-9e8c-a1c92c1a30d1%22%3E%3Cds%3ATransforms%3E%3Cds%3ATransform+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23enveloped-signature%22+%2F%3E%3Cds%3ATransform+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2F10%2Fxml-exc-c14n%23%22+%2F%3E%3C%2Fds%3ATransforms%3E%3Cds%3ADigestMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmlenc%23sha256%22+%2F%3E%3Cds%3ADigestValue%3EfeaLQZ%2FDAXkFht%2BxkvwMh7CIG74fOu3ZGsPmM%2FvOecA%3D%3C%2Fds%3ADigestValue%3E%3C%2Fds%3AReference%3E%3C%2Fds%3ASignedInfo%3E%3Cds%3ASignatureValue%3EToJpAKgKhPzxE9wKQETaYAmCrggXJO8SAzJMKjnojiYCG1w4DSw8WP3kulEAIa8J1bY37fvrbhla%2F1RvLZ7zavCdrBBwdG1veESojemOp0rAl2HLlaOXwba4ozyJS7toLJ%2FDUiFltXntJWKnT55tExVkSZMNM%2BCzrGZ8nhA0HI7nsqSa3hOb0dtSyrgKJ3efLxqcwLQNTpfw6Kjah9X2mHxIfP2H6eXvJN2QQDqVmWkWwGmGzHhPIbjMyuDOa89EqBwnfvR5yGl4vuA9leGrnEpggp0EgbyUVxxq7tOT1nUOX36ZhNKEgLD69S8qpCgApM%2FveXJq1d8VM19yTZWgrw%3D%3D%3C%2Fds%3ASignatureValue%3E%3CKeyInfo+xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23%22%3E%3CX509Data%3E%3CX509Certificate%3EMIIFwzCCBKugAwIBAgIQUhydma16Rx97oI%2F%2FjF22hDANBgkqhkiG9w0BAQUFADCBtTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMmVmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTExMjEzMDAwMDAwWhcNMTQxMjEzMjM1OTU5WjCBrzELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE1hcnlsYW5kMRIwEAYDVQQHFAlCYWx0aW1vcmUxKDAmBgNVBAoUH0NvbnN0ZWxsYXRpb24gRW5lcmd5IEdyb3VwIEluYy4xHzAdBgNVBAsUFkluZm9ybWF0aW9uIFRlY2hub2xvZ3kxLjAsBgNVBAMUJUFERlNzaWduaW5nLWNvcnBzdHMuY29uc3RlbGxhdGlvbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0yD4lyBw0WK1avSs%2BgHPa1U802sTGb41X5Aan05c8nqmvRhv6L7qPjnr9N%2FhTk48MKFHWcfksirCrXI0e9mWSqtRWVfLuobRNoXkAWsFVDbyH%2BqQkbWFnzlJ2JnedzEsWVPRNf5ruYIrZ4idmQqOX21shaCHi3lvXLeY4xBy%2B6eyC037rsRW9l2KArL4HdMQqk87JOMtjHxTuSC2OqnIrWgV3KLN1aJOycMihQceLPZA3rMlgvPylSwef78DrIxSW5Z21LvxNqnSg9EVl3KAa3P8CGzMeVMqSwa1FwRvmcfIdXe2RV0kVa0rbMLFRyOtTO9QRff63JNe4ZpgR1F1PAgMBAAGjggHRMIIBzTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vU1ZSU2VjdXJlLUczLWNybC52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlRzMuY3JsMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHFwMwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYTAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUDURcFlNEwYJ%2BHSCrJfQBY9i%2BeaUwdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wQAYIKwYBBQUHMAKGNGh0dHA6Ly9TVlJTZWN1cmUtRzMtYWlhLnZlcmlzaWduLmNvbS9TVlJTZWN1cmVHMy5jZXIwbgYIKwYBBQUHAQwEYjBgoV6gXDBaMFgwVhYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUS2u5KJYGDLvQUjibKaxLB4shBRgwJhYkaHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nbzEuZ2lmMA0GCSqGSIb3DQEBBQUAA4IBAQCA7122ekzz7FBqXOy47Uql6iIJrttCIs5F2hhCpDQRxRPs%2FffJA3UwE5k0ZZUBB0ChvLqobJVEhoQ903IWjxstVgvSiOJAMGvATLDJ87WL4VDm%2FbQqRJJiIA6T%2Bz0QuvqsRZTArqMIsvRK3z6NJ0SN6%2FdIblABmy64BZ%2BmVAVxtqjXanRk32HNV7te9qN%2FPjoZTZFiQwny%2FS%2FPTPc4HcKKLrYUeK%2FxRCy4TbXwV1cLJ2JOrepvGrwjlv%2FaN2B1vJBY81oq3fm%2BTuH2YcS5mJrqvwoDAKxsuaLOSDBP%2FsEttIl6IsHeIbU4TTKwHk5H%2BbMxLJ9gFvdEY1zbXQsZqneu%3C%2FX509Certificate%3E%3C%2FX509Data%3E%3C%2FKeyInfo%3E%3C%2Fds%3ASignature%3E%3C%2Fsaml%3AAssertion%3E%3C%2Ft%3ARequestedSecurityToken%3E%3Ct%3ATokenType%3Eurn%3Aoasis%3Anames%3Atc%3ASAML%3A1.0%3Aassertion%3C%2Ft%3ATokenType%3E%3Ct%3ARequestType%3Ehttp%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%2FIssue%3C%2Ft%3ARequestType%3E%3Ct%3AKeyType%3Ehttp%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2FNoProofKey%3C%2Ft%3AKeyType%3E%3C%2Ft%3ARequestSecurityTokenResponse%3E] from [https://corpsts.constellation.com/adfs/ls/?wa=wsignin1.0&wtrealm=urn%3awww.bge.com%3aadfs&wctx=http%3a%2f%2fwww.bge.com]: transformed into a download-only GET request.

[therube]

Revert back to 2.4.9rc1 & the issue subsides.


2.5rc1 likewise generates the XSS error.
This time I did get "in", though.

http://www.bge.com/myaccount/manage/pages/aderror.aspx?ADFSErr0

Error

An error has occurred. Please close all Internet browser windows and try again.

If you continue to receive this message, please contact a BGE Call Center representative at 800.685.0123. Please keep this screen open – the representative may ask you for information from it.

We apologize for any inconvenience.

[therube]

Disable XSS protections in NoScript, & well ...

(Really sucks how they use multiple domains, & more & more sites are doing that. And in particular how they pass data back & forth between the two.)

[therube]

Disable Turn cross-site POST request into data-less GET requests is enough to get me going.

[Giorgio Maone]

Should be fixed in latest development build 2.5rc3, thanks.

[therube]

Working, thanks .