[keycloak-user] XXE Switches warning
Bill Burke
bburke at redhat.com
Wed May 11 15:19:35 EDT 2016
Ugh, I forgot the specific around that warning message. I think JDK 8
doesn't support some of the XXE flags or something, or, earlier versions
of the JDK don't support them. I forget.
On 5/11/16 1:31 PM, Josh Cain wrote:
> Hi all,
>
> I'm running Keycloak 1.9.3.Final with the standard out-of-the-box
> Wildfly configuration in a test environment, and I noticed this warning:
>
> WARN [org.keycloak.saml.common] XML External Entity switches are not
> supported. You may get XML injection vulnerabilities.
>
> I was curious as to what might be vulnerable, so I sent some malicious
> XML payloads with XXE type attacks to the SAML endpoint, and got this
> message:
>
> ERROR [org.keycloak.saml.common] Error in base64 decoding saml
> message: ParsingException [location=null]or
> g.keycloak.saml.common.exceptions.ParsingException: PL00074: Parsing
> Error:DOCTYPE is disallowed when the feature "http://apache.org/xml
> /features/disallow-doctype-decl" set to true.
>
> I can see clearly where the DocumentUtil is setting the flag mentioned
> in this error message (as well as a couple of others). Based on this,
> is it safe to assume that XXE attacks are protected against by the KC
> SAML processing operations?
>
> Also, are there other endpoints or operations that don't use the
> DocumentUtil that I should be concerned with? If so, what are the
> recommended actions to ensure the TransformerFactory settings are
> appropriate?
>
> Josh Cain | Software Applications Engineer
> /Identity and Access Management/
> *Red Hat*
> +1 843-737-1735
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160511/4747b294/attachment.html
More information about the keycloak-user
mailing list