Web attack vector closed after failed fix
Gartner has patched a DOM XSS vulnerability found in the Peer Insights widget, a security bug researchers reckon dates back to the original development of the software.
In a technical write-up of the flaw, penned by Justin Steven, the software security researcher said that “many websites” were made vulnerable to DOM-based cross-site scripting (XSS) when the widget was present.
Catch up on the latest security research-related news and analysis
The Gartner Peer Insights widget is a marketing tool described as “an aggregated, real-time view of a vendor’s review and ratings in a particular market on Gartner Peer Insights” that industry vendors are invited to host on their site to add market “credibility and drive conversions”.
When a website uses the Gartner widget, it sources widget.js from gartner.com and then creates an event listener for postMessage messages before creating a div for the widget to be displayed in.
A hidden iframe pointed at the Gartner.com domain requests a specific page from gartner.com which would send a postMessage message to the patent page. This message data would be used in constructing HTML content to be populated into the widget’s content div via a function called innerHTML.
Substring shenanigans
Verification occurs through a check for the string “gartner.com” appearing in the origin of the sending website. However, the check could be bypassed by launching an attack from a website such as https://gartner.com.attacker.com, as this still would meet the substring criteria.
Furthermore, the researcher described innerHTML as a DOM XSS “sink” as several XSS triggers
Read more