ABB Cylon Aspect 3.08.03 (MapServicesHandler) - Authenticated Reflected XSS
ABB Cylon Aspect 3.08.03 (MapServicesHandler) - Authenticated Reflected XSS
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.03
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB BMS/BAS controller suffers from an authenticated reflected
cross-site scripting vulnerability. Input passed to the GET parameters 'name'
and 'id' is not properly sanitised before being returned to the user. This
can be exploited to execute arbitrary HTML/JS code in a user's browser session
in context of an affected site.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5897
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5897.php
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
http://192.168.73.31:7226/servlets/MapServices?cmd=<script>alert(document.cookie)</script>&id=251
http://192.168.73.31:7226/servlets/MapServices?cmd=readScheduleConfig&id=<script>confirm(document.cookie)</script>ABB Cylon Aspect 3.08.03 (MapServicesHandler) — Authenticated Reflected XSS: Analysis, Impact, and Mitigation
This article examines an authenticated reflected cross-site scripting (XSS) vulnerability reported in ABB Cylon Aspect firmware (≤ 3.08.03) affecting MapServicesHandler. It covers how reflected XSS works in this context, the impacted components, practical detection guidance for defenders, and robust mitigations developers and operators can apply to reduce risk.
Executive summary
The MapServicesHandler component in certain ABB Cylon Aspect deployments returned user-controlled GET parameters without proper output encoding, enabling reflected XSS in authenticated sessions. An attacker with access to a valid account could craft a link that, when opened by another authenticated user, results in execution of injected HTML/JavaScript in the victim’s browser session. The primary risks are session hijacking, UI manipulation, and browser-based pivoting to other internal resources.
Key affected products and versions
| Vendor | Product | Affected firmware |
|---|---|---|
| ABB Ltd. | NEXUS Series, MATRIX-2, ASPECT-Enterprise, ASPECT-Studio | Firmware ≤ 3.08.03 (MapServicesHandler reflection) |
Vulnerability type and technical background
Reflected XSS occurs when an application includes untrusted input in an HTTP response without appropriate sanitization or encoding for the output context. Because the injected content is reflected in the page the victim loads, the attack requires the victim to click or visit a crafted link. In the MapServicesHandler case, certain GET parameters were echoed into HTML contexts without encoding, exposing authenticated sessions to script injection.
Why reflected XSS matters in BMS/BAS systems
- Building management systems often provide control panels and telemetry access in a browser context; a successful XSS can allow an attacker to manipulate UI elements or issue actions on behalf of a user.
- Authenticated XSS increases the impact: attackers can target operators with elevated privileges who are already logged into the system.
- Industrial and operational environments have unique risk profiles: lateral movement and data exfiltration from a compromised admin workstation can have physical safety or availability implications.
Attack surface and prerequisites
- Vulnerability is reflected and requires an interaction (a victim must open a crafted URL).
- Attacker needs authentication or must convince an authenticated user to click the crafted link.
- Exploitation targets browsers and depends on the victim’s session state in the web UI.
Safe testing and detection guidance (for defenders)
Always test only in an authorized and isolated environment. Do not attempt active exploitation against production or systems you do not own or administer.
- Use a dedicated lab that mirrors the targeted firmware version and network topology.
- When probing for reflected output, prefer non-malicious markers (for example, a short ASCII token like TEST_XSS_TOKEN) instead of active scripts. This verifies reflection without executing code.
- Automated scanners (e.g., OWASP ZAP, Burp Scanner) can identify reflection points; confirm findings manually and verify whether output is encoded for the specific HTML context.
- Check contexts: HTML body, attribute values, JavaScript contexts, CSS, and URL contexts all require different encoding strategies.
Example: safe detection token (non-executable)
GET /servlets/MapServices?name=TEST_XSS_TOKEN&id=123 HTTP/1.1
Host: 192.0.2.10
Cookie: session=example
Explanation: This benign request demonstrates using a non-executable marker ("TEST_XSS_TOKEN") to confirm whether the value of the 'name' parameter is reflected in responses. Because the marker contains no angle brackets or event handlers, it will not execute even if echoed directly.
Mitigations and remediation best practices
Remediation should be implemented in multiple layers: patch the vendor-supplied firmware where available, fix application code to apply context-aware output encoding, and apply defence-in-depth controls at the HTTP and browser level.
- Vendor patching: Apply vendor firmware updates or official patches for Aspect products as soon as they are available. Track vendor advisories and coordinate patch rollout with operational schedules.
- Context-aware output encoding: Encode user input on output using the appropriate encoder for the HTML context (HTML body, attribute, JavaScript string, CSS, or URL).
- Input validation and canonicalization: Normalize inputs and apply strict allow-lists where feasible (e.g., allow only expected identifiers, numbers, or safe tokens for specific parameters).
- Content Security Policy (CSP): Implement a restrictive CSP to block inline scripts and other dangerous sources. Use nonces or hashes for any legitimate inline scripts.
- Cookie protection: Ensure authentication cookies are set with Secure, HttpOnly and SameSite flags to reduce the impact of client-side script access.
- UI hardening: Avoid reflecting raw user-supplied data into HTML; prefer server-side rendering of validated, encoded values or use client-side templating frameworks that auto-escape by default.
Code examples: safe output encoding and cookie flags
Below are non-exploitable examples showing common secure patterns. They demonstrate how to transform reflected data into a safe form and how to set protective cookie attributes.
Java (Servlet) — safe HTML encoding using OWASP Java Encoder
import org.owasp.encoder.Encode;
// Inside servlet doGet/doPost:
String name = request.getParameter("name"); // raw input
String safeName = Encode.forHtml(name); // encode for HTML body
response.setContentType("text/html; charset=UTF-8");
PrintWriter out = response.getWriter();
out.println("<div>Name: " + safeName + "</div>");Explanation: This servlet example reads a user parameter and encodes it with the OWASP Java Encoder (Encode.forHtml) before inserting into an HTML response. This prevents HTML special characters from being interpreted as markup or scripts. Use context-aware methods such as Encode.forJavaScript when embedding into inline JavaScript contexts.
PHP — safe output using htmlspecialchars
<?php
$name = $_GET['name'] ?? '';
// Encode for HTML output, convert both double and single quotes, and use UTF-8
$safeName = htmlspecialchars($name, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
?>
<div>Name: <?= $safeName ?></div>Explanation: htmlspecialchars converts HTML special characters to safe entities. ENT_QUOTES ensures both single and double quotes are encoded; ENT_SUBSTITUTE helps avoid encoding errors for invalid UTF-8. Always use the appropriate encoding function for the output context.
Content Security Policy (example header)
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-abcdef'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'Explanation: A CSP restricts where resources can be loaded from. Declaring 'script-src' to only permit scripts from the same origin and a server-supplied nonce prevents execution of injected inline scripts. Adjust the policy to your application’s needs and deploy incrementally with report-uri/report-to to observe effects.
Secure cookie attributes (example)
Set-Cookie: session=eyJ...; Path=/; Secure; HttpOnly; SameSite=StrictExplanation: The Secure flag ensures cookies are only sent over HTTPS; HttpOnly prevents client-side scripts from reading cookie values; SameSite=Strict reduces the risk of cross-site cookie forwarding. These controls reduce the potential impact of XSS but are not a substitute for fixing the underlying vulnerability.
Detecting residual issues
- Validate that all user-controllable inputs that appear in HTML are properly encoded in their exact output context.
- Review server logs and web application firewall (WAF) logs for suspiciously crafted requests targeting map/servlet endpoints.
- Perform code reviews focusing on rendering logic and templating code paths tied to MapServicesHandler or similar handlers.
Operational guidance and incident response
- If an instance is suspected to be exploited, isolate the affected host from the network and preserve logs for forensic analysis.
- Rotate credentials used by affected systems and enforce multifactor authentication for operator accounts.
- Communicate with the vendor for patch timelines and coordinated disclosure processes.
Responsible disclosure and CVE tracking
Report any confirmed findings through vendor channels and follow responsible disclosure practices. Track published advisories for vendor-supplied patches and apply fixes in accordance with operational risk management.
Conclusion
Authenticated reflected XSS in building management systems like ABB Cylon Aspect can carry heightened operational risks because it targets already-authenticated operator sessions. Mitigation requires immediate vendor patching where available, correct context-aware output encoding in application code, and layered defenses such as CSP and secure cookie flags. Use safe, non-destructive testing methods and coordinate remediation with stakeholders to minimize disruption to critical operational environments.