/support/notes/service/sap_logo.png){kind=logo}
SAP Knowledge Base Article - PublicSymptom
HTML Injection via Security Misconfiguration TRACE
Environment
SAP SuccessFactors Recruiting Marketing
Reproducing the Issue
- Request the RMK website and change HTTP Method from GET to TRACE. Response says 405 meaning method should not allowed but response still allows TRACE.
- Send another TRACE request to " https://jobs.company.com/platform/images. Notice the more verbose response.
- Inject arbitrary HTML code in "Cookie:" parameter and view the response.
Resolution
According to Security team, TRACE itself isn't considered a security vulnerability as there's no sensitive data in response payload. This is not specific to RMK website as when checking against different sites using "curl" like amazon.com and google.com, the same information on SSL was returned.
They also informed that HTML injection using Cookie don't get saved and don't impact the subsequent messages.
Keywords
rmk, vulnerability, html injection, trace, TRACE, curl, burpsuite , KBA , LOD-SF-RMK-SEC , Security & Vulnerabilities , Problem
Product
SAP SuccessFactors Recruiting all versions
/support/notes/service/facebook.svg)
/support/notes/service/twitter.svg)
/support/notes/service/youtube.svg)
/support/notes/service/linkedin.svg)
/support/notes/service/instagram2.svg)