About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

An analysis of the Keycloak authentication system- 1529

Maurizio Agazzini - HN Security Posted 1 Year Ago
  • Keyclock is a single sign-on provider. While on a project for a client, they identified a flaw in the authentication system.
  • In Keyclock, the levels of security depend on the level of authentication. First level is just the username and password. Level 2 is username, password and OTP. According to their setup guide, the default browser flow is used by most apps.
  • This levels system sounds good in theory but has a flaw: level 1 authentication has access to account settings. An attacker could login with credentials to a level 1 website, add a new OTP method then use this on the level 2 website. This creates a really dumb bypass for 2FA auth. This vulnerability was known about, according to the security team, but took 10 months to fix.
  • Several of the administrative endpoints were reachable via a unprivileged user. Of these, the testLDAPConnection was the most serious because it could be used to steal LDAP creds by setting a custom connection location. This required some information that could be queried using this same vulnerability on a different API.
  • The final issue was poor brute force protections. The protections were turned off by default but were insufficient anyway. It was possible to send multiple requests simultaneously to allow more login attempts than what should be allowed. Use those locks!
  • Overall, a serious of fairly simple yet impactful bugs. Good writeup!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed