[keycloak-dev] Open Redirect Vulnerability

Bill Burke bburke at redhat.com
Thu Apr 16 11:57:02 EDT 2015


I thought the attack was: put in an attacker redirect uri and an invalid 
parameter, auth server fails, redirects to non-validated attacker 
redirect uri.

On 4/16/2015 3:06 AM, Stian Thorgersen wrote:
> I don't get the attack, he states that:
>
>    Now let's assume an attacker:
>     * Registers a new client to the victim.com provider.
>     * Registers a redirect uri like attacker.com.
>
> If the attacker can register a client with a redirect uri, how is it then an open redirect?!
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Thursday, April 16, 2015 1:31:17 AM
>> Subject: Re: [keycloak-dev] Open Redirect Vulnerability
>>
>> One more thing...
>>
>> We never redirect unless the redirect URI and client id is validated.
>>
>> On 4/15/2015 4:57 PM, Pedro Igor Silva wrote:
>>> Hi,
>>>
>>>       Is KC considering this vulnerability [1] when performing redirects ?
>>>       Specially for OAuth Clients doing authorization code grant.
>>>
>>> Regards.
>>>
>>> [1]
>>> http://intothesymmetry.blogspot.ch/2015/04/open-redirect-in-rfc6749-aka-oauth-20.html
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list