Before reporting an issue
Area
authentication
Describe the bug
This is a follow up to a potential security issue I initially raised to keycloak-security@googlegroups.com.
Keycloak-security have determined that no exploit is taking place, but asked me to open an issue here so that the lesser issue of an incorrect return code can be triaged accordingly.
As part of regular testing, we performed a type of basic JWT attack in which the token algorithm is modified and set to "none". The modified request was sent to Keycloak which returned a 500 status. This type of attack can indicate that an application endpoint is vulnerable to JWT authentication bypass attacks. The 500 response (as opposed to 40x) raised some concerns that a bypass might be happening and prompted us to reach out Keycloak-security.
As above, they say there is no exploit here but suggest this could be updated as part of security hardening.
Version
26.1.3
Regression
Expected behavior
We would expect a response code in the 400's range.
Actual behavior
Keycloak returns 500 Internal Server Error.
How to Reproduce?
The initial team that performed this pen test used Burp Repeater and the Burp plugin JWT Editor to modify the JWT token. These are specialized tools that I am not familiar with. However, I have been able to reproduce this using more standard tools:
- Log into a Keycloak instance on Chrome browser
- Navigate to /realms/master/account/ and in our test we modified the users first name. Clicking save generates a POST request to /realms/master/account/
- Using Chrome’s built-in developer tools (ctrl+shift+j), copy this request as a Curl command
- Within the Curl request, locate the KEYCLOAK_IDENTITY and decode this token. We used https://jwt.ms/ to decode.
- Note that the algorithm “alg” of the token is set to is set to “HS512”. Set this to “none” and reencode the token. We used https://www.gavinjl.me/edit-jwt-online-alg-none/ to set the algorithm and reencode.
- Copy this newly encoded token and paste it into KEYCLOAK_IDENTITY section of the Curl command that we created in step 3
- Run the Curl command and observe Keycloak returning a 500 error
Anything else?
No response
Before reporting an issue
Area
authentication
Describe the bug
This is a follow up to a potential security issue I initially raised to keycloak-security@googlegroups.com.
Keycloak-security have determined that no exploit is taking place, but asked me to open an issue here so that the lesser issue of an incorrect return code can be triaged accordingly.
As part of regular testing, we performed a type of basic JWT attack in which the token algorithm is modified and set to "none". The modified request was sent to Keycloak which returned a 500 status. This type of attack can indicate that an application endpoint is vulnerable to JWT authentication bypass attacks. The 500 response (as opposed to 40x) raised some concerns that a bypass might be happening and prompted us to reach out Keycloak-security.
As above, they say there is no exploit here but suggest this could be updated as part of security hardening.
Version
26.1.3
Regression
Expected behavior
We would expect a response code in the 400's range.
Actual behavior
Keycloak returns 500 Internal Server Error.
How to Reproduce?
The initial team that performed this pen test used Burp Repeater and the Burp plugin JWT Editor to modify the JWT token. These are specialized tools that I am not familiar with. However, I have been able to reproduce this using more standard tools:
Anything else?
No response