Abstract
Users of Websense Data Security that are reviewing DLP incidents can be attacked via Cross-Site Scripting. This issue can be exploited using a specially crafted email, or by sending a specially crafted HTTP request through the Websense proxy. The attacker-supplied code can perform a wide variety of attacks, such as stealing session tokens, login credentials, performing arbitrary actions as victims, or logging victims' keystrokes.
Tested versions
This issue was discovered on Websense Triton v7.8.3 and Websense appliance modules V-Series v7.7. Other versions may be affected as well.
Fix
Websense created a workaround to address this issue. System -> Reporting -> Secure forensics with plain-text
A permanent fix will be included in Websense TRITON APX version 8.1, scheduled to be release in August, 2015.
Introduction
Websense Data Security Suite contains three modules - Data Security Gateway, Data Discover, and Data Endpoint - that can help manage the risk of losing your data to malicious users or accidental misuse.
Users of Websense Data Security are able to view a list of data loss prevention (DLP) related incidents. This list contains incidents from the last 3 or 7 days, including incident details. In the Forensics tab, an email or web proxy DLP incident can be rendered as HTML or as plain text. The default setting is to render the incident as HTML. It was found that user-controllable data is not properly encoded when it is rendered in the Forensics Preview Tab. Due to this, the Forensics Preview Tab is vulnerable to Cross-Site Scripting.
A remote attacker can use this issue to inject malicious JavaScript code into the output of the application, which will execute within the browser of any authenticated user (admin or auditor) who views the relevant DLP incident. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, or logging their keystrokes.
Details
This issue can be exploited using a specially crafted email. An attacker can send a email message, which triggers an Email DLP Policy. By including malicious HTML in the message body it is possible to trigger the Cross-Site Scripting vulnerability in the Forensics Preview Tab.
Figure 1: Cross-Site Scripting in Forensics Preview Tab via email body
Figure 2: Auditor view of DLP incident that contains XSS payload
Similar to the malicious email messages, it is possible to trigger this issue by sending a specially crafted HTTP request through the Websense proxy. In the proof of concept below, a Web DLP Policy is triggered using an POST request that contains a Cross-Site Scripting payload.
<html>
<body>
<form action="https://www.securify.nl/poc/Websense.html." method="POST">
<input type="hidden" name="DLP" value="trigger" />
<input type="hidden" name="DLP" value="trigger" />
<input type="hidden" name="DLP" value="trigger" />
<input type="hidden" name="DLP" value="trigger" />
<input type="hidden" name="DLP" value="trigger" />
<input type="hidden" name="DLP" value="trigger" />
<input type="hidden" name="DLP" value="Han"><IFRAME SRC="javascript:alert('WEBSENSE_HACKED_AGAIN!');"></IFRAME>" />
<input type="hidden" name="DLP" value="trigger" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>