DOM XSS vulnerability in Gartner Peer Insights widget patched

Web attack vector resolved following insufficient initial fixes

An image showcasing the issue has been replaced with a new reference image:

Gartner has addressed a DOM XSS vulnerability identified in its Peer Insights widget, a security concern that researchers believe has existed since the software’s original development stage.

A technical report by researcher Justin Steven indicated that numerous websites were exposed to DOM-based cross-site scripting (XSS) due to the widget’s presence.

Stay updated on the latest security research and insights

The Gartner Peer Insights widget is a marketing instrument that provides a consolidated, real-time perspective of vendor reviews and ratings, encouraging industry participants to enhance their credibility and utilize the widget for conversions.

When a website incorporates the Gartner widget, it fetches widget.js from gartner.com, subsequently establishing an event listener for postMessage communications before generating a div for widget display.

A concealed iframe directed at the Gartner domain retrieves a specific page, which transmits a postMessage signal back to the parent page, enabling data to be utilized for populating the HTML content within the widget’s content div with the function innerHTML.

Substring vulnerabilities

Validation occurs by checking that “gartner.com” exists in the origin of the sending page. However, attackers could elude the checks by exploiting vulnerabilities on sites such as https://gartner.com.attacker.com, which would satisfy the substring condition.

The researcher also cited innerHTML as a DOM XSS “sink,” as it could invoke multiple XSS triggers upon payload injection. For instance, a victim visiting a malicious site could trigger a crafted message through window.postMessage().

“This crafted message could have introduced active content, executing uncontrolled JavaScript within the victim website context,” Steven explained. “This may have allowed the malicious site to compromise user data’s confidentiality and integrity, as well as display harmful content like phishing forms.”

This type of attack does not transfer traffic to the victim’s site or gartner.com; instead, it is a client-side exploitation occurring directly in the browser.

Publicly available proof-of-concept (PoC) code, exploit test pages, and a YouTube video showcasing the vulnerability confirm the issue. Previously affected organizations included Black Kite, Gradle, LogRhythm, SentinelOne, Synopsys, Veeam, and Vodafone, among others.

Steven examined code from 2022 and discovered that an archived version of the widget suggested it has been vulnerable to the DOM XSS flaw since it was first created.

Patch and re-patch

Gartner was alerted about this issue on November 4, 2022. Four days later, the company confirmed receipt of the report and inquired whether the researcher would like to submit the issue for consideration under its private bug bounty program on HackerOne.

BACKGROUND Understand DOM-based XSS at the Web Security Academy

An initial tactical fix was rolled out on December 19, followed by a comprehensive resolution in January. However, Steven provided proof that these initial patches were ineffective against exploitation. Consequently, new updates were implemented on January 26 and February 2 to address the DOM XSS vulnerability properly.

Although Steven intended to publish his findings as an advisory, Gartner indicated that a bug bounty would not be offered if the research was publicly disclosed outside the HackerOne program. Consequently, the researcher declined the bug bounty offer, leading to public disclosure on February 3.

Evaluate the landscape

In a conversation with The Daily Swig, Steven emphasized that companies should regularly audit third-party, front-end JavaScript code, covering aspects like widgets, analytics, trackers, and customer support functionalities. They should also seek assurances regarding their vendor’s security protocols.

Moreover, the integrity of existing code and risk assessments must be taken into account when integrating new front-end features, Steven recommended.

The Daily Swig has contacted Gartner for comment and will update this report upon receiving their feedback.

RELATED TOPICS XSS Hunter revamped with enhanced functionalities, including CORS misconfiguration detection