Reflected XSS vulnerability on consent page #1111
Description
Hi,
There seems to be a reflected XSS vulnerability on the consent page. See screenshot.
Steps to reproduce:
- clone the repository (22/8/2016 master branch)
- run the openid-connect-server-webapp
- visit
http://localhost:8080/openid-connect-server-webapp/authorize?response_type=code&client_id=client&scope=openid&redirect_uri=http://localhost/%3Cscript%3Ealert(%27XSS%27)%3C%2fscript%3E&nonce=123&state=456 in Firefox (V48.0 on Linux) - login as "user" / "password"
- a popup saying "XSS" appears
In Chrome the script execution gets blocked: "The XSS Auditor refused to execute a script in 'http://localhost:8080/openid-connect-server-webapp/authorize?response_type=code&client_id=client&scope=openid&redirect_uri=http://localhost/%3Cscript%3Ealert(%27XSS%27)%3C%2fscript%3E&nonce=123&state=456' because its source code was found within the request. The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header."
Regards,
Reto