XSS Injection on Custom New Universal Login Page

rueben.tiow · March 8, 2024, 10:36pm

Last Updated: Dec 3, 2024

Overview

A security report about an XSS injection possibility on the log-out flow was received. A custom login domain with a custom new universal login page is being used. With the following sample, we can see the alert triggered:

https://[CUSTOM_LOGIN_DOMAIN/v2/logout?returnTo=%22%3E%3Cscript%3Ealert(%22Hello%20Attacker%22)%3C/script%3E%3C%3Ehttps://APP_DOMAIN.com

Applies To

Custom New Universal Login Page
XSS Injection

Solution

It is recommended to add | escape in the liquid templates to avoid XSS attacks on the new universal login page. A sample is available in our documentation on how to escape the temple variables.

Topic		Replies	Views
Variable injection and any liquid syntax not working in Customize Login Page Help login-experience , new-universal-login-experience	1	280	March 13, 2024
Error messages vs pages Help login-experience , new-universal-login-experience	0	842	April 28, 2023
Redirect URL in Universal Login Help	2	1683	February 2, 2023
Login Prompt Experience (New) Knowledge Articles login , prompt , universal-login , new-universal-login	1	2633	April 15, 2022
New Universal Login Experience customization Help auth0 , login	3	1899	November 25, 2021

XSS Injection on Custom New Universal Login Page

Overview

Applies To

Solution

Related topics