-------------------------------------------------------------------------------
                title| Cross-Site Scripting Vulnerability in MONITORAPP AIWAF
              product| Application Insight Web Application Firewall (AIWAF)
   vulnerable version| ~4.1.6, ~5.0
           CVE number| CVE-2021-40959
                found| 2021-08-19
                   by| Dowon Jeong
                     | NAVER CLOUD
-------------------------------------------------------------------------------

Vendor description
-------------------------------------------------------------------------------
MonitorApp provides innovative Web Application Firewall (WAF) solutions to protect enterprise applications from a wide range of cyber threats. With a focus on high-performance security and compliance, MonitorApp's WAF solutions are trusted by organizations to ensure robust protection for their web assets.

Source: https://www.monitorapp.com/ko/waf-kr/

Vulnerable versions
-------------------------------------------------------------------------------
Web Security Practice Service / 4.1.6 and earlier, 5.0 and earlier

Vulnerability overview
-------------------------------------------------------------------------------
1) Reflected Cross-Site Scripting (CVE-2021-40959)  
A reflected cross-site scripting vulnerability was identified on the subpage `/process_management/process_status.xhr.php`. This vulnerability allows an attacker to inject malicious scripts that execute in the context of the victim's session. The vulnerability can be triggered using the following payload:  

/process_management/process_status.xhr.php?process=%3Cimg%20src=x%20onerror=alert()%3E

Workaround
-------------------------------------------------------------------------------
- Restrict access to the affected page to trusted users only.
- Validate and sanitize all user input in the web application to prevent injection attacks.

Recommendation
-------------------------------------------------------------------------------
Upgrade to version 5.1 or later to address the vulnerability.

Resolution
-------------------------------------------------------------------------------
The vulnerability was addressed by enforcing the use of the POST method and adopting the multipart/form-data structure for input handling. This change effectively mitigates the Reflected XSS vulnerability. Additionally, inputs that do not match specific cases are ignored, preventing the acceptance of arbitrary strings that do not include reserved characters.

Contact Timeline
-------------------------------------------------------------------------------
2021-08-19: Initial report sent to vendor
2021-09-10: Vendor released patch for version 4.1.6.  
2021-09-24: Vendor released patch for version 5.0.  

EOF Dowon Jeong / @2021