DOM XSS vulnerability in Gartner Peer Insights widget patched

Significant web attack vector has been addressed following an initial unsuccessful attempt to mitigate the issue.

Gartner has successfully remedied a DOM XSS vulnerability detected in its Peer Insights widget. Researchers have suggested that this security flaw traces back to the early stages of the widget’s development.

Justin Steven, a software security researcher, articulated the problem in a technical write-up, asserting that “numerous websites” were put at risk for DOM-based cross-site scripting (XSS) when the widget was utilized.

Stay informed with the latest security research updates and analyses

The Gartner Peer Insights widget serves as a marketing instrument, offering “an aggregated, real-time view of a vendor’s reviews and ratings in a specific market on Gartner Peer Insights.” Industry vendors are encouraged to utilize this tool on their platforms to enhance market “credibility and drive conversions.”

When deployed on a website, the Gartner widget loads widget.js from gartner.com and establishes an event listener for postMessage communications, subsequently creating a div element to display the widget.

A concealed iframe directed at the Gartner.com domain requests a particular page from gartner.com, which sends a postMessage communication to the relevant page. This message is then utilized to create HTML content that gets inserted into the widget’s content div through a function called innerHTML.

Substring vulnerabilities

The verification process checks for the string “gartner.com” within the origin of the sending site. However, the check could be circumvented by executing an attack from a domain such as https://gartner.com.attacker.com, which would satisfy the substring condition.

Moreover, the researcher classified innerHTML as a DOM XSS “sink,” indicating that numerous XSS triggers would be initiated upon injection. For instance, if a user visited a malicious site, a crafted message could be transmitted using window.postMessage().

This crafted message had the potential to introduce active content, thereby executing arbitrary JavaScript within the context of the affected website, which could compromise the confidentiality and integrity of user data associated with the victim site and enable the display of malicious content like phishing forms.

Notably, the attack does not necessitate traffic being routed to the victim site or gartner.com; it operates as a client-side attack occurring within the user’s browser.

Public disclosures including Proof-of-Concept (PoC) code, testing pages, and a YouTube video showcasing the flaw are now available. Previously affected websites include Black Kite, Gradle, LogRhythm, SentinelOne, Synopsys, Veeam, Vodafone, among others.

Steven examined the code from 2022, and upon reviewing an archived version of the widget, he stated, “it seems to have been vulnerable to the DOM XSS issue from its inception.”

Continued measures

Gartner was made aware of the issue on November 4, 2022. Four days later, the analytics firm confirmed receipt of the report and inquired if the researcher would like to submit the problem through its private bug bounty program on HackerOne.

BACKGROUND Explore further about DOM-based XSS at the Web Security Academy

A temporary fix was implemented on December 19, followed by a comprehensive resolution in January. However, Steven presented evidence indicating that these initial remedies could be evaded, prompting additional fixes on January 26 and February 2 to adequately address the DOM XSS issues.

Though Steven aimed to publish his findings as a public advisory, Gartner stated that a bug bounty would not be granted if the research was “publicly disclosed outside the HackerOne program.” Consequently, the researcher opted not to accept the bug bounty offer, leading to public disclosure of his findings on February 3.

Recommendations

In conversation with The Daily Swig, Steven highlighted the importance of organizations routinely conducting comprehensive security reviews of third-party, front-end JavaScript code — which encompasses widgets, analytics scripts, trackers, advertisements, customer support chat tools, and additional functionalities. In lieu of this, organizations should request careful evaluations of their vendor’s security protocols.

In any scenario, it is vital to assess the security of existing code and potential risks when integrating new front-end features, according to Steven.

The Daily Swig has reached out to Gartner for comments and will provide updates as they become available.

YOU MAY ALSO LIKE XSS Hunter reborn with enhanced features including CORS misconfiguration detection