XSS in Azure Bastion and Container Registry
Published Wed, Jun 14th, 2023
Platforms
Summary
Orca discovered vulnerabilities in Azure Bastion and Azure Container Registry that could have enabled an attacker to achieve Cross-Site Scripting (XSS) by using iframe postMessages. The vulnerabilities allowed embedding of endpoints within remote attacker-controlled servers using the iframe tag, thereby granting unauthorized access to the victim’s session in the affected service if they were tricked into navigating to an attacker-controlled website. The root cause was that certain web pages in the Bastion and Container Registry customer-facing portals allowed embedding of iframes in remote servers, meaning they were not using mitigations such as the X-Frame-Options header or the frame-ancestors directive in a Content Security Policy (CSP), which would have prevented these issues.
Affected Services
Azure Bastion, Azure Container Registry
Remediation
None required
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/korniko98
Entry Status
Finalized
Disclosure Date
Thu, Apr 13th, 2023
Exploitability Period
-
Known ITW Exploitation
-
Detection Methods
None
Piercing Index Rating
8.63
(PI:1.5/A1:20/A2:1.1/A7:1.1/A8:0.9)
Discovered by
Lidor Ben Shitrit, Orca Security
