Below you will find pages that utilize the taxonomy term “OIDC”
POST to XSS: Leveraging Pseudo Protocols to Gain JavaScript Evaluation in SSO Flows
In 2020, a blog post was published here about the real-world security implications of a vague specification of the Redirect URI within the OAuth 2.0 RFC1. At that time, I focussed on redirect-based flows. This post uncovers additional protocol-level issues that lead to security vulnerabilities in popular and well-audited SSO implementations such as Authentik (CVE-2024-21637), Keycloak (CVE-2023-6134), and FusionAuth. Notably, the vulnerabilities were identified in the context of the OAuth 2.0 Form Post Response Mode2 and the SAML POST-Binding3 and therefore are not limited to OAuth 2.0 and OpenID Connect, but also affect SAML-based SSO-Flows.
In this post, we will dive into specification inaccuracies regarding the use of dangerous pseudo-schemes (JavaScript-URIs) in combination with POST-based SSO flows such as the OAuth 2.0 Form Post Response Mode2 and the SAML POST-Bindings3, resulting in a protocol-level Cross-Site Scripting (XSS) vulnerability pattern.
SSO Gadgets II: Unauthenticated Client-Side Template Injection to Account Takeover using SSO Gadget Chain
The following unauthenticated Client-Side Template Injection (CSTI) resulting in a Cross-Site Scripting (XSS) vulnerability was discovered in a private bug bounty program. While the vulnerability could only be exploited in case a user had no active session at the application, chained with an SSO gadget, a malicious actor could have still gained access to the user’s account and performed actions on behalf of the user.
SSO Gadgets: Escalate (Self-)XSS to ATO
With the rise of Single-Sign-On (SSO) and especially OAuth 2.0 and OpenID Connect (OIDC), the attack surface of web applications has increased significantly. In this post, I will show how to escalate a Cross-Site Scripting (XSS) vulnerability to an Account Takeover (ATO) by abusing OAuth2/OIDC gadgets and how to prevent such attacks.
AuRA: Auth. Request Analyser
The Auth. Request Analyser (AuRA) Chromium extension aims to support the analysis of OAuth and OpenID Connect implementations, by offering semi-automated analysis and attack capabilities for Authorization/Authentication Requests.
Custom and flexible OAuth/OIDC SP and IdP implementations
During my master’s thesis, I created custom OpenID Connect Service Provider (SP) and Identity Provider (IdP) implementations for research and Proof-of-Concept purposes. Both implementations use NodeJS. This post outlines their capabilities and how they can be extended.
Insufficient Redirect URI validation: The risk of allowing to dynamically add arbitrary query parameters and fragments to the redirect_uri
In this post, I will discuss an OAuth 2.0 and OpenID Connect 1.0 implementation flaw pattern that was or is present even in well-known implementations from Github, Stackoverflow and Microsoft.