Emissary, the National Security Agency’s open-source tool for routing and transforming data in secure networks, patched a stored XSS vulnerability in version 8.39.0. Attackers with admin access could inject javascript: URIs into navigation links, tricking other authenticated users into executing malicious scripts via simple clicks. This affects the web interface, typically used by operators in air-gapped or trusted setups.
The flaw stems from Mustache templates in nav.mustache that directly insert configuration-controlled link values into href attributes without validating URL schemes. Line 10 renders {{#navItems}} <a href="{{link}}">{{display}}</a> {{/navItems}}. Mustache’s HTML escaping blocks tag injection but ignores javascript: schemes, as they lack escapable characters like < or >.
Attack in Action
An admin edits the navItems config to set a link like javascript:alert(document.cookie). Any user viewing the web UI sees this in the navigation menu. One click runs the payload in the victim’s browser context, stealing cookies or performing actions as that user.
Impact hinges on prerequisites: admin privileges to alter config and user clicks. No remote exploitation without those. In Emissary’s world—think intel agencies routing classified data—this means insider threats or compromised admins pose the real risk. Session hijacking could leak operator creds or trigger unintended data flows. Mitigating factors include trusted networks and authenticated-only access, but humans click shiny things.
Emissary processes streams from tools like Wireshark or custom agents, often in high-stakes C2 or SIGINT ops. A hijacked session might expose configs, keystrokes, or pivot to backend services. CVSS isn’t scored here, but it’s medium per the advisory—fair, given the access bar.
The Fix: Server-Side Sanity
PR #1293, merged for 8.39.0, adds server-side validation in NavAction.java. A regex whitelist permits only http://, https://, or relative / paths:
private static final Pattern VALID_LINK = Pattern.compile("^(https?:/)?/.*");
private static boolean isValidLink(String link) {
if (!VALID_LINK.matcher(link).matches()) {
logger.warn("Skipping invalid navigation link '{}'", link);
return false;
}
return true;
}Bad links get logged and dropped before rendering. Templates also gain rel="noopener noreferrer" for extra protection against tabnabbing.
Tests confirm rejection of javascript: and ftp://, acceptance of legit schemes. Clean, effective defense.
Why this matters: Emissary’s GitHub repo has 300+ stars and forks, signaling use beyond NSA—in threat hunting, SOCs, even red teams. Open-source security tools often run with elevated trust, amplifying misconfigs. This vuln highlights a classic trap: templating user input without protocol checks. Similar issues hit tools like Grafana or Kibana navs.
Workaround if stuck: Manually audit navItems for safe schemes. Upgrade ASAP—8.39.0 drops July 2024. Track GHSA-wjqm-p579-x3ww for updates.
Skeptical take: Admin-only exploit limits blast radius, but in zero-trust shifts, even insiders warrant hardening. NSA open-sourcing fixes promptly builds cred; still, scan your Emissary deploys. Tools like this power real ops—don’t let a nav link own your console.
