<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>Ugh, I forgot the specific around that warning message.  I think
      JDK 8 doesn't support some of the XXE flags or something, or,
      earlier versions of the JDK don't support them.  I forget.<br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 5/11/16 1:31 PM, Josh Cain wrote:<br>
    </div>
    <blockquote
cite="mid:CA+z0A8BymNUzc8U=mCUOAPb9dnRt10Z1RWWnBT6Knrc=OP24iA@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>
          <div>Hi all,<br>
            <br>
          </div>
          I'm running Keycloak 1.9.3.Final with the standard
          out-of-the-box Wildfly configuration in a test environment,
          and I noticed this warning:<br>
          <br>
          <span style="color:rgb(180,95,6)">WARN 
            [org.keycloak.saml.common] XML External Entity switches are
            not supported.  You may get XML injection vulnerabilities.</span><br>
          <br>
        </div>
        I was curious as to what might be vulnerable, so I sent some
        malicious XML payloads with XXE type attacks to the SAML
        endpoint, and got this message:<br>
        <br>
        <span style="color:rgb(153,0,0)">ERROR
          [org.keycloak.saml.common] Error in base64 decoding saml
          message: ParsingException [location=null]or<br>
          g.keycloak.saml.common.exceptions.ParsingException: PL00074:
          Parsing Error:DOCTYPE is disallowed when the feature "<a
            moz-do-not-send="true" href="http://apache.org/xml"><a class="moz-txt-link-freetext" href="http://apache.org/xml">http://apache.org/xml</a></a><br>
          /features/disallow-doctype-decl" set to true.</span><br>
        <div>
          <div><br>
          </div>
          <div>I can see clearly where the DocumentUtil is setting the
            flag mentioned in this error message (as well as a couple of
            others).  Based on this, is it safe to assume that XXE
            attacks are protected against by the KC SAML processing
            operations?<br>
            <br>
          </div>
          <div>Also, are there other endpoints or operations that don't
            use the DocumentUtil that I should be concerned with?  If
            so, what are the recommended actions to ensure the
            TransformerFactory settings are appropriate?<br>
          </div>
          <div><br clear="all">
            <div>
              <div>
                <div class="gmail_signature">
                  <div dir="ltr"><span>
                      <div>
                        <div>Josh Cain | Software Applications Engineer<br>
                        </div>
                        <i>Identity and Access Management</i><br>
                      </div>
                      <b>Red Hat</b><br>
                      +1 843-737-1735<br>
                    </span></div>
                </div>
              </div>
            </div>
          </div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
    </blockquote>
    <br>
  </body>
</html>