[keycloak-user] CSRF vulnerability in Keycloak account service

Prapti Mittal mittal.prapti06 at gmail.com
Mon Aug 28 12:08:12 EDT 2017


Dear Keycloak Community,

Though there is a CSRF token used in the Keycloak Account service,
there is *CSRF
token fixation vulnerability*.

To prevent CSRF, a cookie named KEYCLOAK_STATE_CHECKER is used (CSRF
defense method: "Double submit cookie"). The CSRF token is required to be
unique for each session. But, as this cookie accepts user-agent provided
value at login and doesn't clear the cookie at logout, the value of the
CSRF token is same across sessions, for the users using the same user-agent.

This vulnerability can be exploited by an attacker to steal this cookie
from the victim's browser, even when there is no active victim session. And
then, the value can be used by the attacker to perform the CSRF attack. The
impact of this attack can be as bad as an attacker taking over as the admin
of the IDP and exploiting any application hosted using this IDP service.

A fix for the issue was requested at the below link, but it is deleted now,
for no known reason :

https://developer.jboss.org/thread/275577

My questions are:

1. Why was my fix request deleted?

2. If I fix the vulnerability (by initializing cookie
KEYCLOAK_STATE_CHECKER at every login), it would be difficult to carry
forward the code changes, for every new update from the JBoss community.
How to manage such local fixes?

3. If there can be a work-around to the problem?


https://stackoverflow.com/questions/45481833/csrf-vulnerability-in-keycloak-account-service


More information about the keycloak-user mailing list