Hi, This is a public disclosure (with disarmed Proof of Concept) of unpatched vulnerabilities in JOIDS (Java OpenID Server). "JOIDS (Java OpenID Server) is a multi-domain, multi-user OpenID Provider based on OpenID4Java, Spring Framework, Hibernate, Velocity" (https://code.google.com/p/openid-server/). JOIDS version 1.2.1 (current) and probably prior versions are prone to reflected XSS'es and session fixation vulnerabilities. As Vendor failed to issue a patch (see below) application may be considered as vulnerable and not supported any more. Timeline: 24.11.2013 - Vendor notified 01.12.2013 - Vendor response: "no time to fix" 04.01.2014 - Vendor notified of possible disclosure (no answer) 04.03.2014 - Public disclosure Vulnerabilities' details are below. Remaining attributes, not relevant to vulnerabilities, but required by OpenID provider have been removed. 1) XSS in openid.identity parameter. Example: https://<openid_server>/server?<removed_attributes>&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select"><img%20src%3da%20onerror%3dalert("XSS")>< 2) XSS in openid.realm parameter. Example: https://<openid_server>/server?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.realm=https://<SCRIPT>alert("XSS")</SCRIPT>/&openid.return_to=https://<SCRIPT>alert("XSS")</SCRIPT>&<removed_attributes> Above bugs can lead to stealing user's session cookie by an attacker or a Relying Party. Session cookie is a part of a Web page source, so HttpOnly attribute does not protect cookies from these XSS attacks. 3) Session fixation It is possible for an attacker to trick legitimate user to click link like: https://<openid_server>/home;jsessionid=9FBC9A83AD152F5701C0395A92FF23AB and wait until the user logs in. After that, the attacker can use this jsessioid to forge his cookie and get access to OpenID server with legitimate user's permissions. greets, -- Bartlomiej Balcerek Wroclaw Centre for Networking and Supercomputing