Re: [keycloak-user] Potential Vulnerability on Login-action endpoint
Thank you all. I'll make sure to submit the security related question to "
keycloak-security(a)lists.jboss.org" address.
Moe
On Wed, Oct 23, 2019 at 1:40 AM Stian Thorgersen <sthorger(a)redhat.com>
wrote:
These are not sensitive, and you should not report potential
vulnerabilities on a public mailing list.
On Tue, 22 Oct 2019, 22:13 Hossein Doutaghy, <hossein.doutaghy(a)gmail.com>
wrote:
> Hi,
>
> Web security scanner found that Keycloak Admin console is using GET with
> login-actions endpoint. It points out that several parameters is visible
> in
> url which can be sensitive. E.g. execution_session_code, client_id.
>
>
>
> Scanner recommends not to use GET for sensitive parameters. Or even
> better
> not accepting GET parameters for the endpoint at all.
>
>
>
>
>
> Are the parameters for login-actions really sensitive? What are reason
> that this endpoint allows both GET and POST form?
>
>
> Moe Doutaghy
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Mohammad Hossein Doutaghy
Communications Engineer