Reflected XSS on Sidekiq through multiples endpoints via GET parameter "period" in sidekiq/sidekiq

Valid

Reported on

Apr 2nd 2023


Description

Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is reflected off of a web application to the victim's browser.

Proof of Concept

There must have been a metrics during the default value of the period parameter. You simply have to set the payload in the period parameter. Payload : "><img/src/onerror=alert(document.domain)>

Example of URL with payload :

  • https://localhost/sidekiq/metrics?period=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E
  • https://localhost/sidekiq/metrics/SanityChecksJob?period=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E
  • https://localhost/sidekiq/metrics/ActiveStorage::PurgeJob?period=%22%3E%3Cimg/src/onerror=alert(document.domain)%3E

Impact

An XSS vulnerability on a Sidekiq admin panel can pose serious risks to the security and functionality of the system. In particular, this type of vulnerability can allow an attacker to execute malicious code within the context of the Sidekiq admin panel, which can potentially stop the process, leak all the metrics, and even remove the queue altogether.

Stopping the process is one of the most severe consequences of an XSS attack on Sidekiq, as it can lead to a complete halt of the system's operations. This can have significant implications for businesses or organizations that rely on Sidekiq to manage their background jobs and tasks. If the process is stopped, critical tasks such as sending emails, processing payments, or performing other time-sensitive functions can be disrupted, leading to potential losses of revenue or reputation.

Leaking all the metrics is another risk that can result from an XSS vulnerability on a Sidekiq admin panel. Metrics provide valuable information about the system's performance, and an attacker who gains access to this data can potentially use it to identify vulnerabilities or weaknesses in the system. This can lead to further attacks or exploitation, putting the system and its users at risk.

Removing the queue is yet another consequence of an XSS attack on Sidekiq. The queue is an essential component of Sidekiq, responsible for managing and prioritizing the background jobs and tasks. If an attacker can remove the queue, all the pending jobs and tasks will be lost, potentially leading to data loss or disruption of critical business processes.

In summary, an XSS vulnerability on a Sidekiq admin panel can have severe consequences, including stopping the process, leaking all the metrics, and removing the queue. It is essential for organizations to take proactive measures to mitigate these risks by implementing robust security measures, such as regularly updating software, configuring proper access controls, and implementing web application firewalls.

We are processing your report and will contact the sidekiq team within 24 hours. a year ago
Perce modified the report
a year ago
Perce modified the report
a year ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago
We have opened a pull request with a SECURITY.md for sidekiq to merge. a year ago
We have contacted a member of the sidekiq team and are waiting to hear back a year ago
sidekiq/sidekiq maintainer validated this vulnerability a year ago
spercex has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
sidekiq/sidekiq maintainer gave praise a year ago
Confirmed, thank you for the example URLs. I was able to confirm the issue quickly.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
sidekiq/sidekiq maintainer marked this as fixed in 7.0.8 with commit 458fdf a year ago
The fix bounty has been dropped
This vulnerability has now been published a year ago
Max Kramer
10 months ago

@admin, the affected version range published in the CVE should be >=7.0.4, <7.0.8. Not simply <7.0.8.

Issue introduced in this PR: https://github.com/sidekiq/sidekiq/pull/5694. Merged 2023-01-24 and released in 7.0.4.

Issue resolved in https://github.com/sidekiq/sidekiq/commit/458fdf74176a9881478c48dc5cf0269107b22214 and released in 7.0.8. Affected versions confirmed by maintainer in commit message.

Ben Harvie
10 months ago

Admin


We have updated the versions affected on the report and the CVE, as requested.

to join this conversation