[keycloak-dev] oauth vulnerabilities

Marek Posolda mposolda at redhat.com
Wed Jan 14 05:33:08 EST 2015


On 14.1.2015 09:41, Stian Thorgersen wrote:
> I agree we shouldn't allow relative redirect URLs.
>
> We should also improve our wildcard matching to only allow one level, for example:
>
>    http://www.site.com/a/*
>
> Should match:
>
>    http://www.site.com/a/page.html
>
> But not:
>
>    http://www.site.com/a/b/page.html
I wonder that it's quite restrictive and not compatible with other stuff 
using url mappings? For example in servlet specification if you map 
servlet under "/a/*", it would map to everything including 
"/a/b/page.html" .

Isn't it sufficient to just refuse url if it contains dangerous 
characters like dots in the path?

Marek
>
> We don't check the redirect_uri in the access token request either. I've created https://issues.jboss.org/browse/KEYCLOAK-957 for that.
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Thursday, 8 January, 2015 2:31:59 AM
>> Subject: Re: [keycloak-dev] oauth vulnerabilities
>>
>> Read this one, specifically that attack on github (you have to scroll
>> down a bit):
>>
>> http://intothesymmetry.blogspot.ch/2014/10/beware-what-you-click.html
>>
>> wildcard redirect uri patterns are pretty scary!
>>
>> On 1/7/2015 8:14 PM, Bill Burke wrote:
>>> http://intothesymmetry.blogspot.ch/2015/01/top-5-oauth-2-implementation.html
>>>
>>> I think we're pretty good, the ones I worry about is relative urls in
>>> redirect URI checks i.e.
>>>
>>> "http://cloud.com/provisioned/good-site/../hacker-site"
>>>
>>> I'll log a bug for this if you agree that relative redirect URLs
>>> shouldn't be allowed. (Those containing "." and "..")
>>>
>>> Another really dangerous thing that we do is have full-scope-allowed set
>>> to true by default.  If a rogue client gets registered, they pretty much
>>> have access to every single application the user can access with all of
>>> their privileges.
>>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev



More information about the keycloak-dev mailing list