CVE-2019–8400: Reflected XSS in ORY Hydra
Heyy Everyonee,hope you all are doing good.
I am back with another blog, probably you’re wondering that this blog is also going to be about xss, well you’re right.But I got something great along with the bounty this time which really means a lot to me a CVE was assigned for it.
Information:
Url: https://github.com/ory/hydra/
Version affected: < v1.0.0-rc.3
NIST CVE url: https://nvd.nist.gov/vuln/detail/CVE-2019-8400#vulnCurrentDescriptionTitle
Short Story…
Few months back I found a xss in one of Zomato’s website, after reporting it I came to know that the problem was in ORY Hydra, a service which Zomato was using for authentication on one of their services.You can get the whole story here: link.
Let’s move to POC
Just take an example this is the url:
Make some changes in the redirect_uri parameter value, and you will be redirected to an Error page.
https://auth2.site.com/oauth2/fallbacks/error?error=xss&error_description=xss&error_hint=xss
As you can see parameters value is getting reflected in the source code.
Just by using the payload <marquee loop%3d1 width%3d0 onfinish%3dco\u006efirm(document.cookie)>XSS<%2fmarquee> in any of the available parameter.You can get the xss popup.
It was fixed just within few hours by the maintainers of ORY Hydra.
Patch:https://github.com/ory/hydra/commit/9b5bbd48a72096930af08402c5e07fce7dd770f3
Just by upgrading to the latest version ORY Hydra and setting up a custom error reporting endpoint can solve this problem.
Thankyou.
