[keycloak-user] Potential Vulnerability on Login-action endpoint
Hossein Doutaghy
hossein.doutaghy at gmail.com
Wed Oct 23 08:33:26 EDT 2019
Thank you all. I'll make sure to submit the security related question to "
keycloak-security at lists.jboss.org" address.
Moe
On Wed, Oct 23, 2019 at 1:40 AM Stian Thorgersen <sthorger at redhat.com>
wrote:
> These are not sensitive, and you should not report potential
> vulnerabilities on a public mailing list.
>
> On Tue, 22 Oct 2019, 22:13 Hossein Doutaghy, <hossein.doutaghy at gmail.com>
> wrote:
>
>> Hi,
>>
>> Web security scanner found that Keycloak Admin console is using GET with
>> login-actions endpoint. It points out that several parameters is visible
>> in
>> url which can be sensitive. E.g. execution_session_code, client_id.
>>
>>
>>
>> Scanner recommends not to use GET for sensitive parameters. Or even
>> better
>> not accepting GET parameters for the endpoint at all.
>>
>>
>>
>>
>>
>> Are the parameters for login-actions really sensitive? What are reason
>> that this endpoint allows both GET and POST form?
>>
>>
>> Moe Doutaghy
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
--
Mohammad Hossein Doutaghy
Communications Engineer
More information about the keycloak-user
mailing list