[keycloak-user] XXE Switches warning
Josh Cain
josh.cain at redhat.com
Wed May 11 13:31:07 EDT 2016
Hi all,
I'm running Keycloak 1.9.3.Final with the standard out-of-the-box Wildfly
configuration in a test environment, and I noticed this warning:
WARN [org.keycloak.saml.common] XML External Entity switches are not
supported. You may get XML injection vulnerabilities.
I was curious as to what might be vulnerable, so I sent some malicious XML
payloads with XXE type attacks to the SAML endpoint, and got this message:
ERROR [org.keycloak.saml.common] Error in base64 decoding saml message:
ParsingException [location=null]or
g.keycloak.saml.common.exceptions.ParsingException: PL00074: Parsing
Error:DOCTYPE is disallowed when the feature "http://apache.org/xml
/features/disallow-doctype-decl" set to true.
I can see clearly where the DocumentUtil is setting the flag mentioned in
this error message (as well as a couple of others). Based on this, is it
safe to assume that XXE attacks are protected against by the KC SAML
processing operations?
Also, are there other endpoints or operations that don't use the
DocumentUtil that I should be concerned with? If so, what are the
recommended actions to ensure the TransformerFactory settings are
appropriate?
Josh Cain | Software Applications Engineer
*Identity and Access Management*
*Red Hat*
+1 843-737-1735
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160511/c2197d47/attachment.html
More information about the keycloak-user
mailing list