9:44 p.m.
Look into CORS and how cross origin requests work. If your script comes
from the same origin as the target of the XHR, it will work fine. No
problem. If the script is a different origin, the server will receive
the request, but the script will not be able to see a response.
Sometimes depending on browser and XHR request, an OPTIONS request is
sent first.
Keycloak adapters have some support for CORS. See docs.
On 2/19/2016 6:19 PM, Baskin, Ilia wrote:
Scott,
I know that, but this is exactly how CSRF works. There are several
simple ways to defend against CSRF and I am surprised that Keycloak, a
security application, doesn’t utilize any.
Thanks.
Ilia
*From:*Scott Rossillo [mailto:srossillo@smartling.com]
*Sent:* Friday, February 19, 2016 6:15 PM
*To:* Baskin, Ilia
*Cc:* keycloak-user(a)lists.jboss.org
*Subject:* Re: [keycloak-user] Is it CSRF vulnerability?
Once you’ve authenticated with Keycloak, your application has an
session id provided by Tomcat. This is why your requests are
succeeding. If you examine your XHR requests, I’d assume the session
id cookie is being passed to the server.
Scott Rossillo
Smartling | Senior Software Engineer
srossillo(a)smartling.com <mailto:srossillo@smartling.com>
On Feb 19, 2016, at 6:01 PM, Baskin, Ilia
<ibaskine(a)microstrategy.com <mailto:ibaskine@microstrategy.com>>
wrote:
Hi,
I am experimenting with Keycloak to evaluate its suitability for
our application. Here is one of my experiments, that got me warried:
I created a simple page (see attached), deployed it on Tomcat and
registered it in Keycloak as confidential client. As you can see
the page contains a button clicking on which executes simple XHR
request. Notice that XHR request doesn’t contain Authorization
header. On submission of my page URL I am redirected to Keycloak
for authentication. After authentication I can submit XHR requests
at will.
Now I copied my page and deployed the copy on the same Tomcat as a
different totally unsecured application. If I open this page in
another browser tab and click on XHR button it will go through
without any problem. It looks to me as a typical CSRF case. Am I
missing something here?
Thanks.
Ilia
<index.html>_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com