[keycloak-user] Is it CSRF vulnerability?

Scott Rossillo srossillo at smartling.com
Sat Feb 20 10:29:25 EST 2016


Are you using the Tomcat adapter? If so you have to configure Tomcats' CSRF
filter.

Once you've authenticated with an SSO server like Keycloak, you still have
to use platform specific CSRF

https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CSRF_Prevention_Filter

On Fri, Feb 19, 2016 at 6:19 PM Baskin, Ilia <ibaskine at microstrategy.com>
wrote:

> Scott,
>
>
>
> I know that, but this is exactly how CSRF works. There are several simple
> ways to defend against CSRF and I am surprised that Keycloak, a security
> application, doesn’t utilize any.
>
>
>
> Thanks.
>
> Ilia
>
>
>
> *From:* Scott Rossillo [mailto:srossillo at smartling.com]
> *Sent:* Friday, February 19, 2016 6:15 PM
> *To:* Baskin, Ilia
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Is it CSRF vulnerability?
>
>
>
> Once you’ve authenticated with Keycloak, your application has an session
> id provided by Tomcat. This is why your requests are succeeding. If you
> examine your XHR requests, I’d assume the session id cookie is being passed
> to the server.
>
>
>
>
>
> Scott Rossillo
>
> Smartling | Senior Software Engineer
>
> srossillo at smartling.com
>
>
>
> On Feb 19, 2016, at 6:01 PM, Baskin, Ilia <ibaskine at microstrategy.com>
> wrote:
>
>
>
> Hi,
>
>
>
> I am experimenting with Keycloak to evaluate its suitability for our
> application. Here is one of my experiments, that got me warried:
>
>
>
> I created a simple page (see attached), deployed it on Tomcat and
> registered it in Keycloak as confidential client. As you can see the page
> contains a button clicking on which executes simple XHR request. Notice
> that XHR request doesn’t contain Authorization header. On submission of my
> page URL I am redirected to Keycloak for authentication. After
> authentication I can submit XHR requests at will.
>
>
>
> Now I copied my page and deployed the copy on the same Tomcat as a
> different totally unsecured application. If I open this page in another
> browser tab and click on XHR button it will go through without any problem.
> It looks to me as a typical CSRF case. Am I missing something here?
>
>
>
> Thanks.
>
> Ilia
>
> <index.html>_______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160220/5f0ccb6c/attachment.html 


More information about the keycloak-user mailing list