Re: [keycloak-user] Is it CSRF vulnerability?
Once you’ve authenticated with Keycloak, your application has an session id provided by
Tomcat. This is why your requests are succeeding. If you examine your XHR requests, I’d
assume the session id cookie is being passed to the server.
Scott Rossillo
Smartling | Senior Software Engineer
srossillo(a)smartling.com
On Feb 19, 2016, at 6:01 PM, Baskin, Ilia
<ibaskine(a)microstrategy.com> wrote:
Hi,
I am experimenting with Keycloak to evaluate its suitability for our application. Here is
one of my experiments, that got me warried:
I created a simple page (see attached), deployed it on Tomcat and registered it in
Keycloak as confidential client. As you can see the page contains a button clicking on
which executes simple XHR request. Notice that XHR request doesn’t contain Authorization
header. On submission of my page URL I am redirected to Keycloak for authentication. After
authentication I can submit XHR requests at will.
Now I copied my page and deployed the copy on the same Tomcat as a different totally
unsecured application. If I open this page in another browser tab and click on XHR button
it will go through without any problem. It looks to me as a typical CSRF case. Am I
missing something here?
Thanks.
Ilia
<index.html>_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
Attachments:
- attachment.html (text/html — 7.6 KB)