Below you will find pages that utilize the taxonomy term “SAML”
POST to XSS: Leveraging Pseudo Protocols to Gain JavaScript Evaluation in SSO Flows
In 2020, a blog post was published here about the real-world security implications of a vague specification of the Redirect URI within the OAuth 2.0 RFC1. At that time, I focussed on redirect-based flows. This post uncovers additional protocol-level issues that lead to security vulnerabilities in popular and well-audited SSO implementations such as Authentik (CVE-2024-21637), Keycloak (CVE-2023-6134), and FusionAuth. Notably, the vulnerabilities were identified in the context of the OAuth 2.0 Form Post Response Mode2 and the SAML POST-Binding3 and therefore are not limited to OAuth 2.0 and OpenID Connect, but also affect SAML-based SSO-Flows.
In this post, we will dive into specification inaccuracies regarding the use of dangerous pseudo-schemes (JavaScript-URIs) in combination with POST-based SSO flows such as the OAuth 2.0 Form Post Response Mode2 and the SAML POST-Bindings3, resulting in a protocol-level Cross-Site Scripting (XSS) vulnerability pattern.