Ugh, I forgot the specific around that warning message. I think
JDK 8 doesn't support some of the XXE flags or something, or,
earlier versions of the JDK don't support them. I forget.
I was curious as to what might be vulnerable, so I sent some malicious XML payloads with XXE type attacks to the SAML endpoint, and got this message:Hi all,I'm running Keycloak 1.9.3.Final with the standard out-of-the-box Wildfly configuration in a test environment, and I noticed this warning:
WARN [org.keycloak.saml.common] XML External Entity switches are not supported. You may get XML injection vulnerabilities.
ERROR [org.keycloak.saml.common] Error in base64 decoding saml message: ParsingException [location=null]or
g.keycloak.saml.common.exceptions.ParsingException: PL00074: Parsing Error:DOCTYPE is disallowed when the feature "http://apache.org/xml
/features/disallow-doctype-decl" set to true.
I can see clearly where the DocumentUtil is setting the flag mentioned in this error message (as well as a couple of others). Based on this, is it safe to assume that XXE attacks are protected against by the KC SAML processing operations?
Also, are there other endpoints or operations that don't use the DocumentUtil that I should be concerned with? If so, what are the recommended actions to ensure the TransformerFactory settings are appropriate?
Red HatJosh Cain | Software Applications EngineerIdentity and Access Management
+1 843-737-1735
_______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user