Hi all,

I'm running Keycloak 1.9.3.Final with the standard out-of-the-box Wildfly configuration in a test environment, and I noticed this warning:

WARN [org.keycloak.saml.common] XML External Entity switches are not supported. You may get XML injection vulnerabilities.

I was curious as to what might be vulnerable, so I sent some malicious XML payloads with XXE type attacks to the SAML endpoint, and got this message:

ERROR [org.keycloak.saml.common] Error in base64 decoding saml message: ParsingException [location=null]or
g.keycloak.saml.common.exceptions.ParsingException: PL00074: Parsing Error:DOCTYPE is disallowed when the feature "http://apache.org/xml
/features/disallow-doctype-decl" set to true.

I can see clearly where the DocumentUtil is setting the flag mentioned in this error message (as well as a couple of others). Based on this, is it safe to assume that XXE attacks are protected against by the KC SAML processing operations?

Also, are there other endpoints or operations that don't use the DocumentUtil that I should be concerned with? If so, what are the recommended actions to ensure the TransformerFactory settings are appropriate?

Josh Cain | Software Applications Engineer

Identity and Access Management

Red Hat
+1 843-737-1735