Cross Site Scripting Vulnerability in SAML Auth Flow

[tylerwhardy]

In the saml2/login endpoint when using 3rd party SSO, the idp parameter is vulnerable to cross-site scripting injection due to insufficient input sanitization.

Proof of Concept:
Visit the URL endpoint crypt.domain.com/saml2/login/?idp=<%2fscript><svg/onload=alert(origin)>

This will result in a XSS popup message indicating the attack worked.

This could be combined with data exfiltration Javascript or similar mechanisms to steal user data or session information.

[grahamgilbert]

The saml library we use is a third party one. Do you have any suggestions on how to remediate this?

[tylerwhardy]

It looks like it was fixed in the lib on this commit:

IdentityPython/djangosaml2@b8399c9

Can you update to latest release for djangosaml2?

[grahamgilbert]

Pull requests happily accepted