Posted on March 4, 2023 at 11:53 AM

Cybersecurity researchers detect crucial vulnerabilities in Backstage that hackers could exploit

Open source internal developer portal, Backstage, has a critical vulnerability that threat actors could exploit. Backstage is a platform engineering tool adopted by large institutions such as American Airlines, Fidelity Investments, Netflix, and VMware.

Researchers detect vulnerability in Backstage

In November last year, Okeye cybersecurity company detected a critical Javascript vulnerability on Backstage. A similar report was published this year in mid-February that a cross-site scripting (XSS) vulnerability was detected on the Backstage Software Catalog.

This vulnerability could enable a threat actor to install malicious code in the application. The vulnerability was attributed to the lack of sufficient input validation of user-supplied data in the search functionality of this catalog.

This vulnerability was not as critical as the one detected in November, with a CVS score of 10 out of 10. However, it has a moderate severity level and a CVS score of 6.8. These vulnerability metrics show that there would be no need for many resources or expertise to launch this attack.

The attack vector used in this exploit is through the network, where the attacker is remote and does not need to have physical access to the system. The attacker would also not need priority access privileges to conduct an attack by exploiting this vulnerability.

This security vulnerability can be exploited by a threat actor to install the JavaScript code within the search query, which would be executed after the search results have been displayed. This results in the attacker deploying malicious scripts on the page that later executes in the browser of those visiting the affected page.

The XSS vulnerability is also used to steal cookies and control user sessions. However, it can also be deployed to expose sensitive data, access privileged services and functions, and spread malicious malware.

To address the vulnerability, Backstage users using an affected version of the package need to upgrade to the fixed versions. The CVSS base metrics show that the scope of the vulnerability within the three affected packages has transformed significantly. This shows that the breach might have affected the system’s confidentiality and allowed the attacker to access sensitive information.

One of the components that might have been affected by the breach is the Backstage Catalog Model. It caters to multiple validators within the package that can guarantee that the data is at par with the defined interfaces.

Developers can also use interfaces and validators within the catalog-model package to ensure that the software components are represented well within the Backstage Software Catalog. Using Backstage results in better organization, discovery, and the reuse of software features.

The other critical component is the Backstage Catalog Backend Plugin offering backend functionality for the software catalog. This package comprises in-built database implementation of the catalog to store and serve catalog data.

12 packages currently depend on the plugin-catalog-backend-module. These packages include AWS Extension Module where users can add AWS accounts easily to their Backstage, making it easier for them to view and manage these accounts and other resources within the catalog. The GitLab Extension Module and the OpenAPI Extension Module might also be at risk of being exploited by hackers.

Ways to protect oneself against XSS vulnerabilities

It is crucial for individuals and organizations to protect themselves from XSS attacks to guarantee the security of web applications. One of the best practices to abide by is input validation. This involves validating all user input and filtering the data before it is displayed to a user.

It is also important to encode special characters and spaces to respective HTML or URL encoded equivalents to guarantee that the system is secure. Having a content security policy will restrict different types of content that can be loaded within a page, which prevents the attackers from executing malicious scripts or inject malicious code within a page.

Another best practice is disabling client-side scripts, which will help to ensure that malicious scripts are not executed in browsers. Redirecting invalid requests to safe pages and displaying an error message is also another best practice.

By having session management, it is possible to detect multiple logins such as those made from two different IP addresses and shutting down these sessions. Having the right session management can help prevent session hijacking attacks. reviewing library documentation used within an application can also help a user understand the elements that support embedded HTML.

With these best practices, it is possible for a developer to prevent XSS vulnerabilities and guarantee the security of web applications.