Web Management Interface XSS

• Vulnerability

• • Devices don’t sanitize input / web output
  • Device web management apps display log and message data

• Attack

• • Embed XSS code into a signaling message
  • Send crafted message to target device
  • Wait for user to display logs/message via the device’s web interface

• Impact

• • Cross-Site-Scripting code execution
  • Potential traversal of trust boundaries