Ory Polis DOM-Based Cross-Site Scripting Vulnerability in SAML to OAuth Login Flow

A DOM-based Cross-Site Scripting (XSS) vulnerability has been identified in Ory Polis, specifically in versions prior to 26.2.0. The issue arises in the login functionality, where the application improperly trusts a URL parameter, 'callbackUrl', which is passed to 'router.push' without adequate validation. This flaw allows an attacker to craft a malicious link that, when clicked by an authenticated user or an unauthenticated user who subsequently logs in, executes arbitrary JavaScript in the context of the user's browser. Such exploitation could lead to credential theft, unauthorized actions on behalf of the user, and internal network pivoting if the user has access to internal systems.

Impact

Exploitation of this vulnerability allows for arbitrary JavaScript execution in the user's browser, potentially leading to credential theft, unauthorized actions performed on behalf of the user, and internal network pivoting if the user has access to internal systems.

Reproduction

To reproduce this vulnerability, first, log into Ory Polis version 1.52.2 or earlier. Then, click on a link that includes a 'callbackUrl' parameter crafted to execute JavaScript, such as an alert. If the 'callbackUrl' is set to a JavaScript URI, the script will execute in the context of the user's browser, demonstrating the XSS vulnerability. This can be done by manually creating a URL with the malicious 'callbackUrl' parameter and accessing it while logged in.

Remediation

Users can update to Ory Polis version 26.2.0 or later, where this vulnerability has been patched.