CVE-2019-6146: Cross Site Scripting (XSS) via Host Header Injection | ForcePoint Web Security 8.4 & 8.5

Vulnerability Name: Cross Site Scripting (XSS) vulnerability via Host Header Injection.

Product: Forcepoint Web Security 8.5 & 8.4

Scenario and Reproduction Steps:

To reproduce this issue, I need forcepoint to handle any error/exception. Fortunately I found a website (http://prasenjit.com) which has improper SSL over HTTP. That is why, without forcepoint, browser shows below error page while anyone tries to access https://prasenjit.com .

1

FIG: Generic error without forcepoint installed

Now if any user try to access a site https://prasenjit.com where forcepoint installed, forcepoint handled this exception by giving below custom page:

2
FIG: Custom page of forcepoint

Now if we monitor the traffic via Burp Suite. We will find the bellow request and response.

req0

FIG: Request and Response for https://prasenjit.com

Now let’s intercept the traffic while accessing https://prasenjit.com and modify the Host header from prasenjit.com to

Capture
4

FIG: Modified Host header with XSS payload

Whenever this is done, let’s check web interface.

5

FIG: Bing0000!!!! XSS

Now let’s see what is request and response of this.

req

FIG: Request and response with XSS payload

Acknowledgements

  • CVE-2019-6146: https://nvd.nist.gov/vuln/detail/CVE-2019-6146?cpeVersion=2.2
  • ForcePoint KBA: https://support.forcepoint.com/KBArticle?id=000017702

Video PoC

Leave a Reply

Your email address will not be published. Required fields are marked *

Secured By miniOrange