[keycloak-user] Is it CSRF vulnerability?
Baskin, Ilia
ibaskine at microstrategy.com
Fri Feb 19 18:01:32 EST 2016
Hi,
I am experimenting with Keycloak to evaluate its suitability for our application. Here is one of my experiments, that got me warried:
I created a simple page (see attached), deployed it on Tomcat and registered it in Keycloak as confidential client. As you can see the page contains a button clicking on which executes simple XHR request. Notice that XHR request doesn't contain Authorization header. On submission of my page URL I am redirected to Keycloak for authentication. After authentication I can submit XHR requests at will.
Now I copied my page and deployed the copy on the same Tomcat as a different totally unsecured application. If I open this page in another browser tab and click on XHR button it will go through without any problem. It looks to me as a typical CSRF case. Am I missing something here?
Thanks.
Ilia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160219/9f65cb7f/attachment-0002.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160219/9f65cb7f/attachment-0003.html
More information about the keycloak-user
mailing list