CVE-2019-6146: Cross Site Scripting (XSS) via Host Header Injection | ForcePoint Web Security 8.4 & 8.5
Vulnerability Name: Cross Site Scripting (XSS) vulnerability via Host Header Injection.
Product: Forcepoint Web Security 8.5 & 8.4
Scenario and Reproduction Steps:
To reproduce this issue, I need forcepoint to handle any error/exception. Fortunately I found a website (http://prasenjit.com) which has improper SSL over HTTP. That is why, without forcepoint, browser shows below error page while anyone tries to access https://prasenjit.com .
FIG: Generic error without forcepoint installed
Now if any user try to access a site https://prasenjit.com where forcepoint installed, forcepoint handled this exception by giving below custom page:
FIG: Custom page of forcepoint
Now if we monitor the traffic via Burp Suite. We will find the bellow request and response.
FIG: Request and Response for https://prasenjit.com
Now let’s intercept the traffic while accessing https://prasenjit.com and modify the Host header from prasenjit.com to
FIG: Modified Host header with XSS payload
Whenever this is done, let’s check web interface.
FIG: Bing0000!!!! XSS
Now let’s see what is request and response of this.
FIG: Request and response with XSS payload
Acknowledgements
- CVE-2019-6146: https://nvd.nist.gov/vuln/detail/CVE-2019-6146?cpeVersion=2.2
- ForcePoint KBA: https://support.forcepoint.com/KBArticle?id=000017702
Video PoC