Host Header Attack behind Load Balancer - keycloak-user - Jboss List Archives

2025

January

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

Host Header Attack behind Load Balancer

How to generate OIDC Token for...

throwing error after running this...

Hylton Peimer

Thursday, 14 June 2018 Thu, 14 Jun '18

9:43 a.m.

A Google Load balancer is proxying HTTP request to a Keycloak instance [container running in Kubernetes]. A penetration test revealed that its possible to inject "X-FORWARDED-HOST" with a malicious host name, and Keycloak will accept this (login page). Is there a way to tell Keycloak (3.4) to only access web requests matching a given host? Thanks Hylton Peimer

Reply

Show replies by date

Stian Thorgersen

Thursday, 14 June Thu, 14 Jun

11:32 p.m.

https://www.keycloak.org/docs/latest/server_admin/index.html#host On 14 June 2018 at 16:43, Hylton Peimer <hylton.peimer(a)datos-health.com> wrote:

A Google Load balancer is proxying HTTP request to a Keycloak instance [container running in Kubernetes]. A penetration test revealed that its possible to inject "X-FORWARDED-HOST" with a malicious host name, and Keycloak will accept this (login page). Is there a way to tell Keycloak (3.4) to only access web requests matching a given host? Thanks Hylton Peimer _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Reply

2401

days inactive

2402

days old

keycloak-user@lists.jboss.org

Manage subscription

1 comments

2 participants

tags (0)

participants (2)

Hylton Peimer
Stian Thorgersen