Bypassing Authentication in Keycloak — A Deep Dive into Our Discovery

اللهم كن لأهل غزة عونًا ونصيرًا، اللهم احفظهم بحفظك، وأمدّهم بصبرٍ من عندك، وسدد رميهم، وقوِّ عزيمتهم، وارفع عنهم البلاء والظلم اللهم ارحم شهداءهم، واشفِ جرحاهم، وفرّج عنهم كربهم، واجبر قلوبهم إنك على كل شيء قدير

As we know, Keycloak is a widely used open-source identity and access management solution, trusted by many organizations to handle authentication and authorization. However, even the most robust security systems can have weaknesses

Keycloak Welcome Page

At first, we used:
site:*.private.com inurl:Admin | Login
and found this subdomain:
https://sso.private.private.com/realms/

Wow! This is Keycloak — let’s get started!

when opening : https://sso.private.private.com/

Redirected me to :

This Realm For managing admin users

Now, before doing anything, let’s go to this endpoint: admin/master/console
and try to test if these credentials are valid or not (admin, admin)

But unfortunately, they are not valid 😞

Do not forget to test these credentials at this endpoint

Now, let's go back to the login page and initiate a simple login. (This is the trick here because if you access the registration endpoint directly, you will encounter an error.)

Click on Login button

Invalid username or password!! , Replace authenticate with registration

Replacing authenticate with registration

And here we are on the registration page! 😃🔥

Registration Page

But unfortunately, registration is disabled. 😞

registration is disabled

Here, I have several options, but the easiest one is to bypass the UI by removing the word "disabled" from the document. !!!

Removing disabled Attribute

And it worked! 🎉 Now, let’s capture the request using Burp Suite. 🔥

I found this body, and after forwarding the request, the account was created. However, I am now stuck in the pending stage and cannot access anything!!

pending stage😞!!!!!!

Alright, what should I do now? 🤔 I have several options:

• Perform FUZZING to find any hidden endpoints or parameters 🔍
• Remove the word "pending" and see if that grants access.
• But the easiest option is to search through the JavaScript (.js) files for any clues! 🕵️‍♂️

While searching through the JavaScript (.js) files, I found this: 👇

Awesome! Now, let’s create another account while modifying some variables. 🔄

modifying variables

After forwarding the request, I am now an admin with an accepted status! 🔥

And here we are on 🔥

We have successfully accessed sensitive Data , configuration , …. etc ! 🔥

ALL users in ORG!!!

🔥🔓!!

And here we are at the end! with my bro Az3m

Follow us to stay updated! There are more write-ups coming, but due to time constraints, we’ll publish them later. Stay tuned! 🔥📢

Linkedin

Twitter

صلِّ على خير الأنام ، محمد بن عبد الله

و تذكر ان لا خير في عمل يشغل عن الصلاة