[keycloak-dev] denial-of-service (DoS)
Bill Burke
bburke at redhat.com
Tue Feb 17 19:16:41 EST 2015
On 2/17/2015 2:54 PM, Michael Gerber wrote:
> Hi all,
>
> It’s very easy to produce an out of memory. Just make thousand of requests to the login page with a huge state parameter.
> Keycloak allocates a new ClientSessionEntity for each request and stores it with the given state parameter in a ConcurrentHashMap (if the MemUserSessionProvider is used).
>
> Do you think it is necessary to create a new ClientSessionEntity before the user is authenticated?
Yes, the ClientSession stores information about the protocol used and
information passed with the protocol. State parameter and redirect URI
has to be saved as it is revalidated when the client makes an access
token request.
BTW, there's a lot of other things that are worse for DoS. Specifically
if you put in recommended password hashing iterations (20K), you could
eat up the CPU quite easily too.
> Wouldn’t it be possible to pass all necessary information via URL parameters? Create a LoginToken similar to the IDToken, encrypt it with the realm private key, and add it to the url as parameter.
>
A better approach would be to limit the amount of concurrent login
requests from a specific IP.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list