The omniauth failure endpoint is vulnerable to Reflected XSS through the message parameter.
Unauthenticated attackers can craft a URL that executes a malicious JavaScript payload in the victim’s browser.
The same endpoint is also vulnerable to an Open Redirect through the auth_origin_url parameter. Unauthenticated attackers can craft a URL that sends users to a malicious site to phish credentials or launch additional attacks.
URLs to reproduce:
The following URL should trigger a JS alert with the XSS message. https://site/omniauth/failure?message=<script>alert('XSS')</script>&omniauth_window_type=sameWindow&resource_class=User
The following URL should redirect to google. https://site/omniauth/failure?message=failure&omniauth_window_type=sameWindow&resource_class=User&auth_origin_url=http://www.google.com
Reason:
The render_data_or_redirect method and fallback_render methods in app/controllers/devise_token_auth/omniauth_callbacks_controller.rb are using untrusted input to build the redirect and render the error message.
Remediation:
Redirect to a pre-configured auth_origin_url value and do not trust user input.
Version:
>= 0.1.33Routes:
/omniauth/failureDescription:
Unauthenticated attackers can craft a URL that executes a malicious JavaScript payload in the victim’s browser.
URLs to reproduce:
The following URL should trigger a JS alert with the XSS message.
https://site/omniauth/failure?message=<script>alert('XSS')</script>&omniauth_window_type=sameWindow&resource_class=UserThe following URL should redirect to google.
https://site/omniauth/failure?message=failure&omniauth_window_type=sameWindow&resource_class=User&auth_origin_url=http://www.google.comReason:
The
render_data_or_redirectmethod andfallback_rendermethods inapp/controllers/devise_token_auth/omniauth_callbacks_controller.rbare using untrusted input to build the redirect and render the error message.Remediation:
The text was updated successfully, but these errors were encountered: