CVE-2019–8400: Reflected XSS in ORY Hydra

Sudhanshu Rajbhar
2 min readApr 10, 2019

Heyy Everyonee,hope you all are doing good.

I am back with another blog, probably you’re wondering that this blog is also going to be about xss, well you’re right.But I got something great along with the bounty this time which really means a lot to me a CVE was assigned for it.

Information:

Url: https://github.com/ory/hydra/

Version affected: < v1.0.0-rc.3

NIST CVE url: https://nvd.nist.gov/vuln/detail/CVE-2019-8400#vulnCurrentDescriptionTitle

Short Story…

Few months back I found a xss in one of Zomato’s website, after reporting it I came to know that the problem was in ORY Hydra, a service which Zomato was using for authentication on one of their services.You can get the whole story here: link.

Let’s move to POC

Just take an example this is the url:

https://auth2.site.com/oauth2/auth?response_type=code&client_id=123dsds-90be-49d2-ac52-4a8b1a25bcf1&redirect_uri=https://site.com/user/oauth2/redirect_uri&state=2BHoBnVFFKP29L6SerHgEb7OCn21as

Make some changes in the redirect_uri parameter value, and you will be redirected to an Error page.

https://auth2.site.com/oauth2/fallbacks/error?error=xss&error_description=xss&error_hint=xss

Default error page of ORY Hydra

As you can see parameters value is getting reflected in the source code.

Just by using the payload <marquee loop%3d1 width%3d0 onfinish%3dco\u006efirm(document.cookie)>XSS<%2fmarquee> in any of the available parameter.You can get the xss popup.

It was fixed just within few hours by the maintainers of ORY Hydra.

Patch:https://github.com/ory/hydra/commit/9b5bbd48a72096930af08402c5e07fce7dd770f3

Just by upgrading to the latest version ORY Hydra and setting up a custom error reporting endpoint can solve this problem.

Thankyou.

--

--