Alteryx Server Insecure Permissions Vulnerability in Local Storage Allowing Session Token Theft

A vulnerability in Alteryx Server versions 2023.1.1.460 and later allows remote attackers to steal valid user session tokens from localStorage. This issue arises because session tokens are stored in plaintext in localStorage, which is accessible via JavaScript. If an attacker can execute a script in the user's browser, such as through cross-site scripting (XSS), they can retrieve these tokens and impersonate users, potentially leading to account takeover.

Impact

Exploitation of this vulnerability could result in unauthorized access to user accounts, including those with administrative privileges, allowing attackers to perform actions on behalf of the compromised users.

Reproduction

To reproduce this vulnerability, log into Alteryx Server with a valid user account. Then, open the browser's Developer Tools and navigate to the Storage tab. Inspect the localStorage section to confirm that session tokens are stored in plaintext. Once the tokens are visible, they can be accessed by any malicious script executed within the same domain context.

Remediation

Session tokens should be stored in HTTP-only cookies to prevent JavaScript access, and the Secure and HTTPOnly flags should be applied. Additionally, implement defenses against XSS by validating inputs, encoding outputs, and considering a strong Content Security Policy. Regularly rotate and invalidate tokens, especially on logout, and configure sessions to expire quickly.