[keycloak-user] Host Header Attack behind Load Balancer
Stian Thorgersen
sthorger at redhat.com
Fri Jun 15 00:32:18 EDT 2018
https://www.keycloak.org/docs/latest/server_admin/index.html#host
On 14 June 2018 at 16:43, Hylton Peimer <hylton.peimer at datos-health.com>
wrote:
> A Google Load balancer is proxying HTTP request to a Keycloak instance
> [container running in Kubernetes].
>
> A penetration test revealed that its possible to inject "X-FORWARDED-HOST"
> with a malicious host name, and Keycloak will accept this (login page).
>
> Is there a way to tell Keycloak (3.4) to only access web requests matching
> a given host?
>
> Thanks
> Hylton Peimer
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list