[keycloak-dev] oauth vulnerabilities
Bill Burke
bburke at redhat.com
Wed Jan 14 13:14:25 EST 2015
I disagree. Wildcard should be able to match multiple levels. For
complex sites it would get really tedious otherwise. (and not backward
compatible for what we currently have).
On 1/14/2015 3:41 AM, Stian Thorgersen wrote:
> I agree we shouldn't allow relative redirect URLs.
>
> We should also improve our wildcard matching to only allow one level, for example:
>
> http://www.site.com/a/*
>
> Should match:
>
> http://www.site.com/a/page.html
>
> But not:
>
> http://www.site.com/a/b/page.html
>
> We don't check the redirect_uri in the access token request either. I've created https://issues.jboss.org/browse/KEYCLOAK-957 for that.
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Thursday, 8 January, 2015 2:31:59 AM
>> Subject: Re: [keycloak-dev] oauth vulnerabilities
>>
>> Read this one, specifically that attack on github (you have to scroll
>> down a bit):
>>
>> http://intothesymmetry.blogspot.ch/2014/10/beware-what-you-click.html
>>
>> wildcard redirect uri patterns are pretty scary!
>>
>> On 1/7/2015 8:14 PM, Bill Burke wrote:
>>> http://intothesymmetry.blogspot.ch/2015/01/top-5-oauth-2-implementation.html
>>>
>>> I think we're pretty good, the ones I worry about is relative urls in
>>> redirect URI checks i.e.
>>>
>>> "http://cloud.com/provisioned/good-site/../hacker-site"
>>>
>>> I'll log a bug for this if you agree that relative redirect URLs
>>> shouldn't be allowed. (Those containing "." and "..")
>>>
>>> Another really dangerous thing that we do is have full-scope-allowed set
>>> to true by default. If a rogue client gets registered, they pretty much
>>> have access to every single application the user can access with all of
>>> their privileges.
>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list