Let’s dive into an interesting journey where I discovered a Reflected XSS vulnerability in Keycloak. Before we begin, let’s take a brief look at what Keycloak is and what a Reflected XSS vulnerability entails.
What is Keycloak?
Keycloak is an open-source identity and access management (IAM) solution that supports standard protocols like OAuth 2.0, OpenID Connect, and SAML. It provides a robust and flexible framework for managing authentication and authorization, making it an ideal choice for securing modern applications and services. It allows developers to implement features like Single Sign-On (SSO), user federation, and social login with minimal effort.
What is Keycloak Reflected XSS?
Reflected Cross-Site Scripting (XSS) in Keycloak occurs when an attacker can inject malicious JavaScript into a Keycloak-managed page or endpoint, and this script is reflected back to the user’s browser without proper sanitization or escaping. This vulnerability can be exploited to execute arbitrary code in the context of the victim’s session, potentially leading to session hijacking, data theft, or other malicious activities.
How to Find Keycloak Reflected XSS
Finding such vulnerabilities can be straightforward if you know where to look. Here’s the step-by-step process I followed to uncover this security flaw.
1. Download My Nuclei Template
Nuclei is a powerful tool for security testing that supports custom templates for various vulnerabilities. The first step is to clone the repository containing the necessary template:
git clone https://github.com/dkcyberz/Harpy.git
Navigate to the appropriate directory:
cd Harpy/nuclei-template
2. Run the Nuclei Template
To scan for the Keycloak Reflected XSS vulnerability, use the Nuclei tool with the provided template:
For a single URL:
nuclei -u example.com -t keycloack-xss.yaml
For a list of URLs:
nuclei -l domains.txt -t keycloack-xss.yaml
This will help you identify potential endpoints in Keycloak that might be vulnerable to Reflected XSS.
How to Verify the Vulnerability?
Once you’ve identified a potential vulnerability using Nuclei, the next step is to verify it manually:
- Copy the URL Identified by Nuclei: Take the URL that Nuclei flagged as potentially vulnerable.
- Capture the Request in Burp Suite: Open Burp Suite, intercept the request, and send it to the Repeater tab for further manipulation.
- Modify the Request:
(i) Change the request method to POST.
(ii) Set the Content-Type header to application/json
(iii) Add the XSS payload to the request body, for example:
{“<img onerror=confirm(‘keycloak_xss’) src/>”:1}
4. View the Response:
Right-click on the response and choose “Show response in browser.” If you see a popup with your alert message (e.g., keycloak_xss), then you’ve successfully exploited the XSS vulnerability!
Remember: Use these techniques ethically. Keep learning and exploring to stay ahead in the game. The world of cybersecurity is vast, and there’s always something new to discover.
Happy Hacking! 🕶️🔓
Reference:
