Connect with us

Hi, what are you looking for?



Zscaler Accused of Throwing Stones From a Glass House Over XSS Vulnerability

On the day that the company started a PR push for the Zscaler Application Profiler (ZAP), using a Cross-Site Scripting (XSS) flaw discovered in ESPN’s ScoreCenter mobile application as a case study, an email started circulating detailing a XSS flaw on Zscaler’s very own website.

On the day that the company started a PR push for the Zscaler Application Profiler (ZAP), using a Cross-Site Scripting (XSS) flaw discovered in ESPN’s ScoreCenter mobile application as a case study, an email started circulating detailing a XSS flaw on Zscaler’s very own website.

On Friday afternoon, SecurityWeek received an anonymous email from someone who discovered a XSS flaw in the password reset function of Zscaler’s website.

Zscaler is a San Jose, California-based company that provides cloud-based security to enterprises.

“Today zScaler released a press release concerning cross-site scripting (XSS) vulnerabilities on the ESPN website. zScaler is ignoring the proverb that those who live in glass houses shouldn’t throw stones,” says the email, quoted here in an unedited form.

“Despite their claims of ‘Secure. Everywhere’, zScalers own service contains multiple similar vulnerabilities to those they highlight on ESPN. The most egregious of these is a trivial cross-site scripting vulnerability on the zScaler login page. Using this vulnerability allows for the theft of zScaler sessions, and combined with another undisclosed vulnerability in their site can be used to steal login credentials for any of zScalers 10 million users worldwide.”

We cannot confirm the email’s claim on the number of potentially exposed customers, or the abilty to steal credentials, as the demonstrated XSS likely only exposes basic user accounts on the main domain, but the flaw itself is valid.

Zscaler’s website says that it currently secures 10 million users in 180 countries, and that more than 3,500 global enterprises use its cloud solutions.

Advertisement. Scroll to continue reading.

SecurityWeek contacted Zscaler, which did acknowledge the vulnerability, but downplayed the danger that it brings.

“Zscaler tested the link and can confirm that the page identified does contain a reflected XSS vulnerability,” Michael Sutton, VP of Security Research at Zscaler told SecurityWeek.

“Fortunately, it is a on a pre-auth page for a domain that is part of the login process, not the admin console, therefore exploitation of the XSS would not allow an attacker to obtain the authentication cookie of a Zscaler customer,” Sutton explained. “We appreciate having this brought to our attention.”

However, the anonymous tipster claims otherwise. 

“The vuln below has been used and proofed to work at stealing end-user post-login cookies,” the anonymous individual wrote in an email exchange with SecurityWeek. “This cookie allows us to access the zScaler servers as another user, and as they do not require re-authentication at regular intervals will work likely for a long time for any user.”

“The page is pre-auth, but can be used post-auth,” the email continued. “Exactly like the ESPN XSS they published which was on the pre-auth login page.”

While the individual outing Zscaler said he had planned to notify the company under responsible disclosure, Zscaler’s disclosure of ESPN’s mobile app vulnerability triggered the person to out Zscaler. 

 “ZScaler was to be notified of these issues following Responsible Disclosure rules, but them releasing a press release regarding similar vulnerabilities in another side could be ignored and shows their disinterest in following standard security industry practices,” the email said.

Zscaler claims they notified ESPN on Wednesday, but did disclose the vulnerability in their blog post before ESPN was able to fix it, though they say it was fixed on Friday. 

The pictures below show the XSS vulnerability in action.

XSS Vulnerability Screenshot

Zscaler XSS Flaw

It’s clear from the content that the anonymous email was intentionally delivered on the same day that Zscaler started promoting their mobile scanning application ZAP.

In an attempt to embarrass the company, the email quotes an interview given by Sutton, to CRN, where he addresses XSS flaws by calling them Security 101. 

“These are just really simple coding errors. A lot of this stuff is Security 101,” Sutton told CRN. “Everyone is worried about malware and malicious applications, but the real threat is the app that is poorly coded and we are blindly trusting it while it’s placing our privacy at risk.”

The question then, is why Zscaler’s own security tools and development checks missed this rather common flaw, in a Web function that is commonly exploited by this exact type of attack. Most, if not all, application security checks include password reset functions as a rule, or at the very least, include them as part of a scan on user input validation.

As a SecurityWeek reader pointed out, this isn’t the first time Zscaler has had an XSS vulnerability with their site. In May 2012, a security researcher found a similar vulnerability with Zscaler’s web site, which the researcher did notify them of under responsible disclosure. 

Even though the code was vulnerable – Zscaler’s cloud service would hopefully prevent the attack from succeeding against its own customers.

The issue will be addressed tonight in a code update, Sutton said.

Related: Crossing XSS Off Your Threat Landscape

RelatedRecently-Patched HTML Sanitization Flaw Linked to Hotmail XSS Vulnerability

Updated 5:03PM ET to add additional commentary from anonymous source.

Updated 7:19PM ET to add additional commentary from anonymous source and Zscaler.

Updated 01/19 9:48AM ET to add details of previous XSS vulnerability pointed out by a SecurityWeek reader.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.