3:11 p.m.
Hi,
Web security scanner found that Keycloak Admin console is using GET with
login-actions endpoint. It points out that several parameters is visible in
url which can be sensitive. E.g. execution_session_code, client_id.
Scanner recommends not to use GET for sensitive parameters. Or even better
not accepting GET parameters for the endpoint at all.
Are the parameters for login-actions really sensitive? What are reason
that this endpoint allows both GET and POST form?
Moe Doutaghy
12:40 a.m.
These are not sensitive, and you should not report potential
vulnerabilities on a public mailing list.
On Tue, 22 Oct 2019, 22:13 Hossein Doutaghy, <hossein.doutaghy(a)gmail.com>
wrote:
Hi,
Web security scanner found that Keycloak Admin console is using GET with
login-actions endpoint. It points out that several parameters is visible in
url which can be sensitive. E.g. execution_session_code, client_id.
Scanner recommends not to use GET for sensitive parameters. Or even better
not accepting GET parameters for the endpoint at all.
Are the parameters for login-actions really sensitive? What are reason
that this endpoint allows both GET and POST form?
Moe Doutaghy
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7:33 a.m.
Thank you all. I'll make sure to submit the security related question to "
keycloak-security(a)lists.jboss.org" address.
Moe
On Wed, Oct 23, 2019 at 1:40 AM Stian Thorgersen <sthorger(a)redhat.com>
wrote:
These are not sensitive, and you should not report potential
vulnerabilities on a public mailing list.
On Tue, 22 Oct 2019, 22:13 Hossein Doutaghy, <hossein.doutaghy(a)gmail.com>
wrote:
> Hi,
>
> Web security scanner found that Keycloak Admin console is using GET with
> login-actions endpoint. It points out that several parameters is visible
> in
> url which can be sensitive. E.g. execution_session_code, client_id.
>
>
>
> Scanner recommends not to use GET for sensitive parameters. Or even
> better
> not accepting GET parameters for the endpoint at all.
>
>
>
>
>
> Are the parameters for login-actions really sensitive? What are reason
> that this endpoint allows both GET and POST form?
>
>
> Moe Doutaghy
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Mohammad Hossein Doutaghy
Communications Engineer
1895
days inactive
1896
days old
2 comments
2 participants
participants (2)
-
Hossein Doutaghy -
Stian Thorgersen