Bypassing Authentication in Keycloak — A Deep Dive into Our Discovery
اللهم كن لأهل غزة عونًا ونصيرًا، اللهم احفظهم بحفظك، وأمدّهم بصبرٍ من عندك، وسدد رميهم، وقوِّ عزيمتهم، وارفع عنهم البلاء والظلم اللهم ارحم شهداءهم، واشفِ جرحاهم، وفرّج عنهم كربهم، واجبر قلوبهم إنك على كل شيء قدير
As we know, Keycloak is a widely used open-source identity and access management solution, trusted by many organizations to handle authentication and authorization. However, even the most robust security systems can have weaknesses
At first, we used:site:*.private.com inurl:Admin | Login
and found this subdomain:https://sso.private.private.com/realms/
Wow! This is Keycloak — let’s get started!
when opening : https://sso.private.private.com/
Redirected me to :
Now, before doing anything, let’s go to this endpoint: admin/master/console
and try to test if these credentials are valid or not (admin
, admin
)
But unfortunately, they are not valid 😞
Now, let's go back to the login page and initiate a simple login. (This is the trick here because if you access the registration endpoint directly, you will encounter an error.)
Invalid username or password!! , Replace authenticate with registration
And here we are on the registration page! 😃🔥
But unfortunately, registration is disabled. 😞
Here, I have several options, but the easiest one is to bypass the UI by removing the word "disabled"
from the document. !!!
And it worked! 🎉 Now, let’s capture the request using Burp Suite. 🔥
I found this body, and after forwarding the request, the account was created. However, I am now stuck in the pending stage and cannot access anything!!
Alright, what should I do now? 🤔 I have several options:
- Perform FUZZING to find any hidden endpoints or parameters 🔍
- Remove the word
"pending"
and see if that grants access. - But the easiest option is to search through the JavaScript (
.js
) files for any clues! 🕵️♂️
While searching through the JavaScript (.js
) files, I found this: 👇
Awesome! Now, let’s create another account while modifying some variables. 🔄
After forwarding the request, I am now an admin with an accepted status! 🔥
We have successfully accessed sensitive Data , configuration , …. etc ! 🔥
And here we are at the end! with my bro Az3m
Follow us to stay updated! There are more write-ups coming, but due to time constraints, we’ll publish them later. Stay tuned! 🔥📢
صلِّ على خير الأنام ، محمد بن عبد الله
و تذكر ان لا خير في عمل يشغل عن الصلاة