SAML Consumer Service XSS vulnerability
Description
The application's SAML Consumer Service fails to properly sanitize user-controlled values from SAMLResponse parameters before rendering them in web pages, resulting in a Cross-Site Scripting (XSS) vulnerability. An unauthenticated attacker can craft malicious SAML responses containing JavaScript payloads that execute in victims' browsers when processed by the vulnerable endpoint.
This vulnerability affects the authentication flow and can be exploited without prior authentication to the application.
Remediation
Implement comprehensive input validation and output encoding for all SAML response data before rendering it in HTML contexts. Follow these specific steps:
1. Apply Context-Appropriate Output Encoding:
Encode all SAMLResponse values based on where they are rendered (HTML body, attributes, JavaScript, etc.). Use established encoding libraries rather than custom implementations.
// Example using OWASP Java Encoder import org.owasp.encoder.Encode; String samlValue = getSAMLResponseValue(); String safe = Encode.forHtml(samlValue); response.getWriter().write(safe);
2. Implement Content Security Policy (CSP):
Deploy a strict CSP header to mitigate XSS impact even if encoding is bypassed.
Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'
3. Validate SAML Response Structure:
Verify that SAML responses conform to expected schemas and reject malformed or suspicious content before processing.
4. Use Security-Focused SAML Libraries:
Leverage well-maintained SAML libraries that handle encoding automatically and follow security best practices.
5. Avoid Reflecting Unvalidated Input:
Never directly reflect SAMLResponse parameters in error messages or debug output without proper sanitization.