7:31 p.m.
Hi all,
I'm running Keycloak 1.9.3.Final with the standard out-of-the-box Wildfly
configuration in a test environment, and I noticed this warning:
WARN [org.keycloak.saml.common] XML External Entity switches are not
supported. You may get XML injection vulnerabilities.
I was curious as to what might be vulnerable, so I sent some malicious XML
payloads with XXE type attacks to the SAML endpoint, and got this message:
ERROR [org.keycloak.saml.common] Error in base64 decoding saml message:
ParsingException [location=null]or
g.keycloak.saml.common.exceptions.ParsingException: PL00074: Parsing
Error:DOCTYPE is disallowed when the feature "http://apache.org/xml
/features/disallow-doctype-decl" set to true.
I can see clearly where the DocumentUtil is setting the flag mentioned in
this error message (as well as a couple of others). Based on this, is it
safe to assume that XXE attacks are protected against by the KC SAML
processing operations?
Also, are there other endpoints or operations that don't use the
DocumentUtil that I should be concerned with? If so, what are the
recommended actions to ensure the TransformerFactory settings are
appropriate?
Josh Cain | Software Applications Engineer
*Identity and Access Management*
*Red Hat*
+1 843-737-1735
9:19 p.m.
Ugh, I forgot the specific around that warning message. I think JDK 8
doesn't support some of the XXE flags or something, or, earlier versions
of the JDK don't support them. I forget.
On 5/11/16 1:31 PM, Josh Cain wrote:
Hi all,
I'm running Keycloak 1.9.3.Final with the standard out-of-the-box
Wildfly configuration in a test environment, and I noticed this warning:
WARN [org.keycloak.saml.common] XML External Entity switches are not
supported. You may get XML injection vulnerabilities.
I was curious as to what might be vulnerable, so I sent some malicious
XML payloads with XXE type attacks to the SAML endpoint, and got this
message:
ERROR [org.keycloak.saml.common] Error in base64 decoding saml
message: ParsingException [location=null]or
g.keycloak.saml.common.exceptions.ParsingException: PL00074: Parsing
Error:DOCTYPE is disallowed when the feature "http://apache.org/xml
/features/disallow-doctype-decl" set to true.
I can see clearly where the DocumentUtil is setting the flag mentioned
in this error message (as well as a couple of others). Based on this,
is it safe to assume that XXE attacks are protected against by the KC
SAML processing operations?
Also, are there other endpoints or operations that don't use the
DocumentUtil that I should be concerned with? If so, what are the
recommended actions to ensure the TransformerFactory settings are
appropriate?
Josh Cain | Software Applications Engineer
/Identity and Access Management/
*Red Hat*
+1 843-737-1735
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2916
days inactive
2916
days old
1 comments
2 participants
participants (2)
-
Bill Burke -
Josh Cain