[keycloak-dev] oauth vulnerabilities
Bill Burke
bburke at redhat.com
Wed Jan 7 20:31:59 EST 2015
Read this one, specifically that attack on github (you have to scroll
down a bit):
http://intothesymmetry.blogspot.ch/2014/10/beware-what-you-click.html
wildcard redirect uri patterns are pretty scary!
On 1/7/2015 8:14 PM, Bill Burke wrote:
> http://intothesymmetry.blogspot.ch/2015/01/top-5-oauth-2-implementation.html
>
> I think we're pretty good, the ones I worry about is relative urls in
> redirect URI checks i.e.
>
> "http://cloud.com/provisioned/good-site/../hacker-site"
>
> I'll log a bug for this if you agree that relative redirect URLs
> shouldn't be allowed. (Those containing "." and "..")
>
> Another really dangerous thing that we do is have full-scope-allowed set
> to true by default. If a rogue client gets registered, they pretty much
> have access to every single application the user can access with all of
> their privileges.
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list