def perform(self, username: Username, password: Password, realm: Realm, client: Client, **kwargs) \
-> (Set[Credential], VulnFlag):
results: Set[Credential] = set()
well_known = realm.get_well_known(super().base_url(), super().session())
for grant_type in well_known.allowed_grants():
self.try_token(client, grant_type, realm, well_known, results, username, password)
self.try_form_auth(client, realm, well_known, results, username, password)
return results, VulnFlag(False)
def perform(self, realm: Realm, credential: Credential, **kwargs) \
-> (Set[ClientRegistration], VulnFlag):
"""
Perform scan.
For each realm, search for registration endpoint in well known
:param credential: credential to test
:param realm: realm to test
:param kwargs:
:return: a list of ClientRegistration and a vuln flag. vulnerable if a client can be registered
"""
result: Set[ClientRegistration] = set()
well_known = realm.get_well_known(super().base_url(),
super().session())
registration_endpoint = well_known.json['registration_endpoint']
# callback url is a file, open the file and test each line
for callback_url in callbackurl_iterator(self.callback_url):
cr = self.check_registration_endpoint(realm, registration_endpoint,
callback_url, well_known)
if cr is not None:
result.add(cr)
else:
cr = self.check_registration_endpoint(realm,
registration_endpoint,
callback_url, well_known,
credential)
if cr is not None:
result.add(cr)
# clean all clients
for client_registration in result:
try:
client_registration.delete(super().session())
super().info(f'Deleted client {client_registration.name}')
except Exception as e:
super().warn(
f'Unable to delete client {client_registration.name} at {client_registration.url} {e}'
)
return result, VulnFlag(len(result) > 0)
def perform(self, realm: Realm, **kwargs) -> (Set[WellKnown], VulnFlag):
result: Set[WellKnown] = set()
try:
well_known = realm.get_well_known(self.base_url(),
super().session())
super().find(
self.name(), 'Find a well known for realm {} {}'.format(
realm.name, well_known.url))
result.add(well_known)
except Exception as e:
super().verbose(str(e))
return result, VulnFlag()
def has_auth_endpoint(self, client_name: str, realm: Realm) -> bool:
try:
well_known = realm.get_well_known(self.base_url(), self.session())
url = well_known.json['authorization_endpoint']
r = super().session().get(url,
params={'client_id': client_name}, allow_redirects=False)
# TODO : is code 400 always an existing client ?
if r.status_code == 302 or r.status_code == 400:
super().find(self.name(), f'Find a client auth endpoint for realm {realm.name} and client {client_name}: {url}')
return True
except KeyError as e:
print(
f'realm {realm.name}\'s wellknown doesn\'t exists or do not have "authorization_endpoint".')
print(e)
return False
def perform(self) -> (Set[Realm], VulnFlag):
realms: Set[Realm] = set()
for realm_name in self.realms:
url = URL_PATTERN.format(super().base_url(), realm_name)
r = super().session().get(url)
if r.status_code != 200:
super().verbose('Bad status code for realm {} {}: {}'.format(
realm_name, url, r.status_code))
else:
super().info('Find realm {} ({})'.format(realm_name, url))
realm = Realm(realm_name, url, r.json())
if 'public_key' in realm.json:
super().info(
f'Public key for realm {realm_name} : {realm.json["public_key"]}'
)
realms.add(realm)
return realms, VulnFlag()
def credential_set() -> Set[Credential]:
return {
Credential(username='******', password='******',
client=Client('keycloak-client-456789', '', None),
realm=Realm('master', '', None))
}
def other_realm(other_realm_json: dict) -> Realm:
return Realm('other', 'http://localhost:8080/auth/realms/other', json=other_realm_json)
def master_realm(master_realm_json: dict) -> Realm:
return Realm('master', 'http://localhost:8080/auth/realms/master', json=master_realm_json)
def test_perform_with_event(base_url: str, all_realms: List[Realm],
all_clients: List[Client],
well_known_list: List[WellKnown],
full_scan_mock_session: requests.Session, capsys):
mediator = Mediator([
LoginScanner(base_url=base_url,
session_provider=lambda: full_scan_mock_session)
])
mediator.send(WrapperTypes.USERNAME_TYPE, {Username('admin')})
mediator.send(WrapperTypes.PASSWORD_TYPE, {Password('pa55w0rd')})
mediator.send(WrapperTypes.REALM_TYPE, set(all_realms))
mediator.send(WrapperTypes.CLIENT_TYPE, set(all_clients))
mediator.send(WrapperTypes.WELL_KNOWN_TYPE, set(well_known_list))
result = mediator.scan_results.get(WrapperTypes.CREDENTIAL_TYPE)
captured = capsys.readouterr()
assert result == {
Credential(
Realm(
'master', 'http://localhost:8080/auth/realms/master', {
'realm': 'master',
'public_key':
'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbbkdpQ9J5QR4nmfNL6y/+3PaIKzoeUIa1oRI1QlmXgtD/mCURhdVi52S0xQ8XGy2HIsrrct/G6rVMPDBzqa2bdKP0uB6iuuBmeH/RyJlMCdrXYTZjG5uWt6SlI7462966iqGYq1o3crHbSnLr/9OFIJD2zFBEYJZ2Xbd9IRcGpwpCSKJ5YAs1EnmLQrEBHxdLsQyIiHy5yU8bT5otgyS4tvn0UiY04zOonsvH5XmzvaZ77fo6DV8GY79eqCECiBF2OHUhZ7GjZfcHlKzeCS4vEODntPc/FzV+eqDkv9/ikDwJ9KHsLbIUkR9Ob2JE7jHg0a76CF2N/z8tztFAruawIDAQAB',
'token-service':
'http://localhost:8080/auth/realms/master/protocol/openid-connect',
'account-service':
'http://localhost:8080/auth/realms/master/account',
'tokens-not-before': 0
}),
Client('client1',
'http://localhost:8080/auth/realms/master/client1'),
'admin', 'pa55w0rd'),
Credential(
Realm(
'master', 'http://localhost:8080/auth/realms/master', {
'realm': 'master',
'public_key':
'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbbkdpQ9J5QR4nmfNL6y/+3PaIKzoeUIa1oRI1QlmXgtD/mCURhdVi52S0xQ8XGy2HIsrrct/G6rVMPDBzqa2bdKP0uB6iuuBmeH/RyJlMCdrXYTZjG5uWt6SlI7462966iqGYq1o3crHbSnLr/9OFIJD2zFBEYJZ2Xbd9IRcGpwpCSKJ5YAs1EnmLQrEBHxdLsQyIiHy5yU8bT5otgyS4tvn0UiY04zOonsvH5XmzvaZ77fo6DV8GY79eqCECiBF2OHUhZ7GjZfcHlKzeCS4vEODntPc/FzV+eqDkv9/ikDwJ9KHsLbIUkR9Ob2JE7jHg0a76CF2N/z8tztFAruawIDAQAB',
'token-service':
'http://localhost:8080/auth/realms/master/protocol/openid-connect',
'account-service':
'http://localhost:8080/auth/realms/master/account',
'tokens-not-before': 0
}),
Client('client2',
'http://localhost:8080/auth/realms/master/client2'),
'admin', 'pa55w0rd'),
Credential(
Realm(
'other', 'http://localhost:8080/auth/realms/other', {
'realm': 'other',
'public_key':
'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbbkdpQ9J5QR4nmfNL6y/+3PaIKzoeUIa1oRI1QlmXgtD/mCURhdVi52S0xQ8XGy2HIsrrct/G6rVMPDBzqa2bdKP0uB6iuuBmeH/RyJlMCdrXYTZjG5uWt6SlI7462966iqGYq1o3crHbSnLr/9OFIJD2zFBEYJZ2Xbd9IRcGpwpCSKJ5YAs1EnmLQrEBHxdLsQyIiHy5yU8bT5otgyS4tvn0UiY04zOonsvH5XmzvaZ77fo6DV8GY79eqCECiBF2OHUhZ7GjZfcHlKzeCS4vEODntPc/FzV+eqDkv9/ikDwJ9KHsLbIUkR9Ob2JE7jHg0a76CF2N/z8tztFAruawIDAQAB',
'token-service':
'http://localhost:8080/auth/realms/other/protocol/openid-connect',
'account-service':
'http://localhost:8080/auth/realms/other/account',
'tokens-not-before': 0
}),
Client('client1',
'http://localhost:8080/auth/realms/master/client1'),
'admin', 'pa55w0rd'),
Credential(
Realm(
'other', 'http://localhost:8080/auth/realms/other', {
'realm': 'other',
'public_key':
'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbbkdpQ9J5QR4nmfNL6y/+3PaIKzoeUIa1oRI1QlmXgtD/mCURhdVi52S0xQ8XGy2HIsrrct/G6rVMPDBzqa2bdKP0uB6iuuBmeH/RyJlMCdrXYTZjG5uWt6SlI7462966iqGYq1o3crHbSnLr/9OFIJD2zFBEYJZ2Xbd9IRcGpwpCSKJ5YAs1EnmLQrEBHxdLsQyIiHy5yU8bT5otgyS4tvn0UiY04zOonsvH5XmzvaZ77fo6DV8GY79eqCECiBF2OHUhZ7GjZfcHlKzeCS4vEODntPc/FzV+eqDkv9/ikDwJ9KHsLbIUkR9Ob2JE7jHg0a76CF2N/z8tztFAruawIDAQAB',
'token-service':
'http://localhost:8080/auth/realms/other/protocol/openid-connect',
'account-service':
'http://localhost:8080/auth/realms/other/account',
'tokens-not-before': 0
}),
Client('client2',
'http://localhost:8080/auth/realms/master/client2'),
'admin', 'pa55w0rd')
}
assert "[+] LoginScanner - Form login work for admin on realm other, client client2, (<openid location>)" in captured.out
def test_full_scan(base_url: str, full_scan_mock_session: Session, monkeypatch,
master_realm: Realm, other_realm: Realm, client1: Client,
client2: Client, well_known_master: WellKnown,
well_known_other: WellKnown):
monkeypatch.setattr(uuid, 'uuid4', value=lambda: '456789')
common_args = {
'base_url': base_url,
'session_provider': lambda: full_scan_mock_session
}
scanners = [
RealmScanner(realms=['master', 'other'], **common_args),
WellKnownScanner(**common_args),
ClientScanner(clients=['client1', 'client2'], **common_args),
LoginScanner(**common_args),
ClientRegistrationScanner(**common_args,
callback_url=['http://callback']),
SecurityConsoleScanner(**common_args),
OpenRedirectScanner(**common_args),
FormPostXssScanner(**common_args),
NoneSignScanner(**common_args)
]
scanner = MasterScanner(scanners=scanners,
initial_values={
WrapperTypes.USERNAME_TYPE: {Username('user')},
WrapperTypes.PASSWORD_TYPE: {Password('user')}
},
verbose=True)
scanner.start()
assert scanner.mediator.scan_results.get(
WrapperTypes.CLIENT_REGISTRATION
) == {
ClientRegistration(
'http://callback',
name='keycloak-client-456789',
url=
'http://localhost:8080/auth/realms/master/clients-registrations/openid-connect/539ce782-5d15-4256-a5fa-1a46609d056b',
json={
'redirect_uris': ['http://localhost:8080/callback'],
'token_endpoint_auth_method': 'client_secret_basic',
'grant_types': ['authorization_code', 'refresh_token'],
'response_types': ['code', 'none'],
'client_id': '539ce782-5d15-4256-a5fa-1a46609d056b',
'client_secret': 'c94f5fc0-0a04-4e2f-aec6-b1f5edad1d44',
'client_name': 'keycloak-client-456789',
'scope': 'address phone offline_access microprofile-jwt',
'jwks_uri': 'http://localhost:8080/public_keys.jwks',
'subject_type': 'pairwise',
'request_uris': ['http://localhost:8080/rf.txt'],
'tls_client_certificate_bound_access_tokens': False,
'client_id_issued_at': 1622306364,
'client_secret_expires_at': 0,
'registration_client_uri':
'http://localhost:8080/auth/realms/master/clients-registrations/openid-connect/539ce782-5d15-4256-a5fa-1a46609d056b',
'backchannel_logout_session_required': False
}),
ClientRegistration(
'http://callback',
name='keycloak-client-456789',
url=
'http://localhost:8080/auth/realms/other/clients-registrations/openid-connect/539ce782-5d15-4256-a5fa-1a46609d056b',
json={
'redirect_uris': ['http://localhost:8080/callback'],
'token_endpoint_auth_method': 'client_secret_basic',
'grant_types': ['authorization_code', 'refresh_token'],
'response_types': ['code', 'none'],
'client_id': '539ce782-5d15-4256-a5fa-1a46609d056b',
'client_secret': 'c94f5fc0-0a04-4e2f-aec6-b1f5edad1d44',
'client_name': 'keycloak-client-456789',
'scope': 'address phone offline_access microprofile-jwt',
'jwks_uri': 'http://localhost:8080/public_keys.jwks',
'subject_type': 'pairwise',
'request_uris': ['http://localhost:8080/rf.txt'],
'tls_client_certificate_bound_access_tokens': False,
'client_id_issued_at': 1622306364,
'client_secret_expires_at': 0,
'registration_client_uri':
'http://localhost:8080/auth/realms/other/clients-registrations/openid-connect/539ce782-5d15-4256-a5fa-1a46609d056b',
'backchannel_logout_session_required': False
})
}
assert scanner.mediator.scan_results.get(WrapperTypes.CLIENT_TYPE) == {
Client(
'client1', 'http://localhost:8080/auth/realms/master/client1',
ClientConfig(
'client1',
'http://localhost:8080/realms/master/clients-registrations/default/client1',
{
'id':
'899e2dc1-5fc0-4eaf-bedb-f81a3f9e9313',
'clientId':
'admin-cli',
'name':
'${client_admin-cli}',
'surrogateAuthRequired':
False,
'enabled':
True,
'alwaysDisplayInConsole':
False,
'clientAuthenticatorType':
'client-secret',
'redirectUris': [],
'webOrigins': [],
'notBefore':
0,
'bearerOnly':
False,
'consentRequired':
False,
'standardFlowEnabled':
False,
'implicitFlowEnabled':
False,
'directAccessGrantsEnabled':
False,
'serviceAccountsEnabled':
False,
'publicClient':
False,
'frontchannelLogout':
False,
'protocol':
'openid-connect',
'attributes': {},
'authenticationFlowBindingOverrides': {},
'fullScopeAllowed':
False,
'nodeReRegistrationTimeout':
0,
'defaultClientScopes':
['web-origins', 'roles', 'profile', 'email'],
'optionalClientScopes':
['address', 'phone', 'offline_access', 'microprofile-jwt']
})),
Client('client2', 'http://localhost:8080/auth/realms/master/client2',
None),
Client(
'client1', 'http://localhost:8080/auth/realms/other/client1',
ClientConfig(
'client1',
'http://localhost:8080/realms/other/clients-registrations/default/client1',
{
'id':
'899e2dc1-5fc0-4eaf-bedb-f81a3f9e9313',
'clientId':
'admin-cli',
'name':
'${client_admin-cli}',
'surrogateAuthRequired':
False,
'enabled':
True,
'alwaysDisplayInConsole':
False,
'clientAuthenticatorType':
'client-secret',
'redirectUris': [],
'webOrigins': [],
'notBefore':
0,
'bearerOnly':
False,
'consentRequired':
False,
'standardFlowEnabled':
False,
'implicitFlowEnabled':
False,
'directAccessGrantsEnabled':
False,
'serviceAccountsEnabled':
False,
'publicClient':
False,
'frontchannelLogout':
False,
'protocol':
'openid-connect',
'attributes': {},
'authenticationFlowBindingOverrides': {},
'fullScopeAllowed':
False,
'nodeReRegistrationTimeout':
0,
'defaultClientScopes':
['web-origins', 'roles', 'profile', 'email'],
'optionalClientScopes':
['address', 'phone', 'offline_access', 'microprofile-jwt']
})),
Client('client2', 'http://localhost:8080/auth/realms/other/client2',
None)
}
for r in scanner.mediator.scan_results.get(WrapperTypes.CREDENTIAL_TYPE):
print('####')
print(repr(r))
print(hash(r))
print('####')
assert scanner.mediator.scan_results.get(WrapperTypes.CREDENTIAL_TYPE) == {
Credential(
Realm(
'master', 'http://localhost:8080/auth/realms/master', {
'realm': 'master',
'public_key':
'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbbkdpQ9J5QR4nmfNL6y/+3PaIKzoeUIa1oRI1QlmXgtD/mCURhdVi52S0xQ8XGy2HIsrrct/G6rVMPDBzqa2bdKP0uB6iuuBmeH/RyJlMCdrXYTZjG5uWt6SlI7462966iqGYq1o3crHbSnLr/9OFIJD2zFBEYJZ2Xbd9IRcGpwpCSKJ5YAs1EnmLQrEBHxdLsQyIiHy5yU8bT5otgyS4tvn0UiY04zOonsvH5XmzvaZ77fo6DV8GY79eqCECiBF2OHUhZ7GjZfcHlKzeCS4vEODntPc/FzV+eqDkv9/ikDwJ9KHsLbIUkR9Ob2JE7jHg0a76CF2N/z8tztFAruawIDAQAB',
'token-service':
'http://localhost:8080/auth/realms/master/protocol/openid-connect',
'account-service':
'http://localhost:8080/auth/realms/master/account',
'tokens-not-before': 0
}),
Client('client2',
'http://localhost:8080/auth/realms/other/client2', None),
'user', 'user'),
Credential(
Realm(
'master', 'http://localhost:8080/auth/realms/master', {
'realm': 'master',
'public_key':
'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbbkdpQ9J5QR4nmfNL6y/+3PaIKzoeUIa1oRI1QlmXgtD/mCURhdVi52S0xQ8XGy2HIsrrct/G6rVMPDBzqa2bdKP0uB6iuuBmeH/RyJlMCdrXYTZjG5uWt6SlI7462966iqGYq1o3crHbSnLr/9OFIJD2zFBEYJZ2Xbd9IRcGpwpCSKJ5YAs1EnmLQrEBHxdLsQyIiHy5yU8bT5otgyS4tvn0UiY04zOonsvH5XmzvaZ77fo6DV8GY79eqCECiBF2OHUhZ7GjZfcHlKzeCS4vEODntPc/FzV+eqDkv9/ikDwJ9KHsLbIUkR9Ob2JE7jHg0a76CF2N/z8tztFAruawIDAQAB',
'token-service':
'http://localhost:8080/auth/realms/master/protocol/openid-connect',
'account-service':
'http://localhost:8080/auth/realms/master/account',
'tokens-not-before': 0
}),
Client('client2',
'http://localhost:8080/auth/realms/master/client2', None),
'user', 'user'),
Credential(
Realm(
'master', 'http://localhost:8080/auth/realms/master', {
'realm': 'master',
'public_key':
'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbbkdpQ9J5QR4nmfNL6y/+3PaIKzoeUIa1oRI1QlmXgtD/mCURhdVi52S0xQ8XGy2HIsrrct/G6rVMPDBzqa2bdKP0uB6iuuBmeH/RyJlMCdrXYTZjG5uWt6SlI7462966iqGYq1o3crHbSnLr/9OFIJD2zFBEYJZ2Xbd9IRcGpwpCSKJ5YAs1EnmLQrEBHxdLsQyIiHy5yU8bT5otgyS4tvn0UiY04zOonsvH5XmzvaZ77fo6DV8GY79eqCECiBF2OHUhZ7GjZfcHlKzeCS4vEODntPc/FzV+eqDkv9/ikDwJ9KHsLbIUkR9Ob2JE7jHg0a76CF2N/z8tztFAruawIDAQAB',
'token-service':
'http://localhost:8080/auth/realms/master/protocol/openid-connect',
'account-service':
'http://localhost:8080/auth/realms/master/account',
'tokens-not-before': 0
}),
Client(
'client1', 'http://localhost:8080/auth/realms/master/client1',
ClientConfig(
'client1',
'http://localhost:8080/realms/master/clients-registrations/default/client1',
{
'id':
'899e2dc1-5fc0-4eaf-bedb-f81a3f9e9313',
'clientId':
'admin-cli',
'name':
'${client_admin-cli}',
'surrogateAuthRequired':
False,
'enabled':
True,
'alwaysDisplayInConsole':
False,
'clientAuthenticatorType':
'client-secret',
'redirectUris': [],
'webOrigins': [],
'notBefore':
0,
'bearerOnly':
False,
'consentRequired':
False,
'standardFlowEnabled':
False,
'implicitFlowEnabled':
False,
'directAccessGrantsEnabled':
False,
'serviceAccountsEnabled':
False,
'publicClient':
False,
'frontchannelLogout':
False,
'protocol':
'openid-connect',
'attributes': {},
'authenticationFlowBindingOverrides': {},
'fullScopeAllowed':
False,
'nodeReRegistrationTimeout':
0,
'defaultClientScopes':
['web-origins', 'roles', 'profile', 'email'],
'optionalClientScopes': [
'address', 'phone', 'offline_access',
'microprofile-jwt'
]
})), 'user', 'user'),
Credential(
Realm(
'other', 'http://localhost:8080/auth/realms/other', {
'realm': 'other',
'public_key':
'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbbkdpQ9J5QR4nmfNL6y/+3PaIKzoeUIa1oRI1QlmXgtD/mCURhdVi52S0xQ8XGy2HIsrrct/G6rVMPDBzqa2bdKP0uB6iuuBmeH/RyJlMCdrXYTZjG5uWt6SlI7462966iqGYq1o3crHbSnLr/9OFIJD2zFBEYJZ2Xbd9IRcGpwpCSKJ5YAs1EnmLQrEBHxdLsQyIiHy5yU8bT5otgyS4tvn0UiY04zOonsvH5XmzvaZ77fo6DV8GY79eqCECiBF2OHUhZ7GjZfcHlKzeCS4vEODntPc/FzV+eqDkv9/ikDwJ9KHsLbIUkR9Ob2JE7jHg0a76CF2N/z8tztFAruawIDAQAB',
'token-service':
'http://localhost:8080/auth/realms/other/protocol/openid-connect',
'account-service':
'http://localhost:8080/auth/realms/other/account',
'tokens-not-before': 0
}),
Client('client2',
'http://localhost:8080/auth/realms/master/client2', None),
'user', 'user'),
Credential(
Realm(
'other', 'http://localhost:8080/auth/realms/other', {
'realm': 'other',
'public_key':
'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbbkdpQ9J5QR4nmfNL6y/+3PaIKzoeUIa1oRI1QlmXgtD/mCURhdVi52S0xQ8XGy2HIsrrct/G6rVMPDBzqa2bdKP0uB6iuuBmeH/RyJlMCdrXYTZjG5uWt6SlI7462966iqGYq1o3crHbSnLr/9OFIJD2zFBEYJZ2Xbd9IRcGpwpCSKJ5YAs1EnmLQrEBHxdLsQyIiHy5yU8bT5otgyS4tvn0UiY04zOonsvH5XmzvaZ77fo6DV8GY79eqCECiBF2OHUhZ7GjZfcHlKzeCS4vEODntPc/FzV+eqDkv9/ikDwJ9KHsLbIUkR9Ob2JE7jHg0a76CF2N/z8tztFAruawIDAQAB',
'token-service':
'http://localhost:8080/auth/realms/other/protocol/openid-connect',
'account-service':
'http://localhost:8080/auth/realms/other/account',
'tokens-not-before': 0
}),
Client('client2',
'http://localhost:8080/auth/realms/other/client2', None),
'user', 'user'),
Credential(
Realm(
'other', 'http://localhost:8080/auth/realms/other', {
'realm': 'other',
'public_key':
'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbbkdpQ9J5QR4nmfNL6y/+3PaIKzoeUIa1oRI1QlmXgtD/mCURhdVi52S0xQ8XGy2HIsrrct/G6rVMPDBzqa2bdKP0uB6iuuBmeH/RyJlMCdrXYTZjG5uWt6SlI7462966iqGYq1o3crHbSnLr/9OFIJD2zFBEYJZ2Xbd9IRcGpwpCSKJ5YAs1EnmLQrEBHxdLsQyIiHy5yU8bT5otgyS4tvn0UiY04zOonsvH5XmzvaZ77fo6DV8GY79eqCECiBF2OHUhZ7GjZfcHlKzeCS4vEODntPc/FzV+eqDkv9/ikDwJ9KHsLbIUkR9Ob2JE7jHg0a76CF2N/z8tztFAruawIDAQAB',
'token-service':
'http://localhost:8080/auth/realms/other/protocol/openid-connect',
'account-service':
'http://localhost:8080/auth/realms/other/account',
'tokens-not-before': 0
}),
Client(
'client1', 'http://localhost:8080/auth/realms/master/client1',
ClientConfig(
'client1',
'http://localhost:8080/realms/master/clients-registrations/default/client1',
{
'id':
'899e2dc1-5fc0-4eaf-bedb-f81a3f9e9313',
'clientId':
'admin-cli',
'name':
'${client_admin-cli}',
'surrogateAuthRequired':
False,
'enabled':
True,
'alwaysDisplayInConsole':
False,
'clientAuthenticatorType':
'client-secret',
'redirectUris': [],
'webOrigins': [],
'notBefore':
0,
'bearerOnly':
False,
'consentRequired':
False,
'standardFlowEnabled':
False,
'implicitFlowEnabled':
False,
'directAccessGrantsEnabled':
False,
'serviceAccountsEnabled':
False,
'publicClient':
False,
'frontchannelLogout':
False,
'protocol':
'openid-connect',
'attributes': {},
'authenticationFlowBindingOverrides': {},
'fullScopeAllowed':
False,
'nodeReRegistrationTimeout':
0,
'defaultClientScopes':
['web-origins', 'roles', 'profile', 'email'],
'optionalClientScopes': [
'address', 'phone', 'offline_access',
'microprofile-jwt'
]
})), 'user', 'user'),
Credential(
Realm(
'other', 'http://localhost:8080/auth/realms/other', {
'realm': 'other',
'public_key':
'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbbkdpQ9J5QR4nmfNL6y/+3PaIKzoeUIa1oRI1QlmXgtD/mCURhdVi52S0xQ8XGy2HIsrrct/G6rVMPDBzqa2bdKP0uB6iuuBmeH/RyJlMCdrXYTZjG5uWt6SlI7462966iqGYq1o3crHbSnLr/9OFIJD2zFBEYJZ2Xbd9IRcGpwpCSKJ5YAs1EnmLQrEBHxdLsQyIiHy5yU8bT5otgyS4tvn0UiY04zOonsvH5XmzvaZ77fo6DV8GY79eqCECiBF2OHUhZ7GjZfcHlKzeCS4vEODntPc/FzV+eqDkv9/ikDwJ9KHsLbIUkR9Ob2JE7jHg0a76CF2N/z8tztFAruawIDAQAB',
'token-service':
'http://localhost:8080/auth/realms/other/protocol/openid-connect',
'account-service':
'http://localhost:8080/auth/realms/other/account',
'tokens-not-before': 0
}),
Client(
'client1', 'http://localhost:8080/auth/realms/other/client1',
ClientConfig(
'client1',
'http://localhost:8080/realms/other/clients-registrations/default/client1',
{
'id':
'899e2dc1-5fc0-4eaf-bedb-f81a3f9e9313',
'clientId':
'admin-cli',
'name':
'${client_admin-cli}',
'surrogateAuthRequired':
False,
'enabled':
True,
'alwaysDisplayInConsole':
False,
'clientAuthenticatorType':
'client-secret',
'redirectUris': [],
'webOrigins': [],
'notBefore':
0,
'bearerOnly':
False,
'consentRequired':
False,
'standardFlowEnabled':
False,
'implicitFlowEnabled':
False,
'directAccessGrantsEnabled':
False,
'serviceAccountsEnabled':
False,
'publicClient':
False,
'frontchannelLogout':
False,
'protocol':
'openid-connect',
'attributes': {},
'authenticationFlowBindingOverrides': {},
'fullScopeAllowed':
False,
'nodeReRegistrationTimeout':
0,
'defaultClientScopes':
['web-origins', 'roles', 'profile', 'email'],
'optionalClientScopes': [
'address', 'phone', 'offline_access',
'microprofile-jwt'
]
})), 'user', 'user'),
Credential(
Realm(
'master', 'http://localhost:8080/auth/realms/master', {
'realm': 'master',
'public_key':
'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbbkdpQ9J5QR4nmfNL6y/+3PaIKzoeUIa1oRI1QlmXgtD/mCURhdVi52S0xQ8XGy2HIsrrct/G6rVMPDBzqa2bdKP0uB6iuuBmeH/RyJlMCdrXYTZjG5uWt6SlI7462966iqGYq1o3crHbSnLr/9OFIJD2zFBEYJZ2Xbd9IRcGpwpCSKJ5YAs1EnmLQrEBHxdLsQyIiHy5yU8bT5otgyS4tvn0UiY04zOonsvH5XmzvaZ77fo6DV8GY79eqCECiBF2OHUhZ7GjZfcHlKzeCS4vEODntPc/FzV+eqDkv9/ikDwJ9KHsLbIUkR9Ob2JE7jHg0a76CF2N/z8tztFAruawIDAQAB',
'token-service':
'http://localhost:8080/auth/realms/master/protocol/openid-connect',
'account-service':
'http://localhost:8080/auth/realms/master/account',
'tokens-not-before': 0
}),
Client(
'client1', 'http://localhost:8080/auth/realms/other/client1',
ClientConfig(
'client1',
'http://localhost:8080/realms/other/clients-registrations/default/client1',
{
'id':
'899e2dc1-5fc0-4eaf-bedb-f81a3f9e9313',
'clientId':
'admin-cli',
'name':
'${client_admin-cli}',
'surrogateAuthRequired':
False,
'enabled':
True,
'alwaysDisplayInConsole':
False,
'clientAuthenticatorType':
'client-secret',
'redirectUris': [],
'webOrigins': [],
'notBefore':
0,
'bearerOnly':
False,
'consentRequired':
False,
'standardFlowEnabled':
False,
'implicitFlowEnabled':
False,
'directAccessGrantsEnabled':
False,
'serviceAccountsEnabled':
False,
'publicClient':
False,
'frontchannelLogout':
False,
'protocol':
'openid-connect',
'attributes': {},
'authenticationFlowBindingOverrides': {},
'fullScopeAllowed':
False,
'nodeReRegistrationTimeout':
0,
'defaultClientScopes':
['web-origins', 'roles', 'profile', 'email'],
'optionalClientScopes': [
'address', 'phone', 'offline_access',
'microprofile-jwt'
]
})), 'user', 'user')
}
client1_master = Client(
'client1', 'http://localhost:8080/auth/realms/master/client1',
ClientConfig(
'client1',
'http://localhost:8080/realms/master/clients-registrations/default/client1',
{
'id':
'899e2dc1-5fc0-4eaf-bedb-f81a3f9e9313',
'clientId':
'admin-cli',
'name':
'${client_admin-cli}',
'surrogateAuthRequired':
False,
'enabled':
True,
'alwaysDisplayInConsole':
False,
'clientAuthenticatorType':
'client-secret',
'redirectUris': [],
'webOrigins': [],
'notBefore':
0,
'bearerOnly':
False,
'consentRequired':
False,
'standardFlowEnabled':
False,
'implicitFlowEnabled':
False,
'directAccessGrantsEnabled':
False,
'serviceAccountsEnabled':
False,
'publicClient':
False,
'frontchannelLogout':
False,
'protocol':
'openid-connect',
'attributes': {},
'authenticationFlowBindingOverrides': {},
'fullScopeAllowed':
False,
'nodeReRegistrationTimeout':
0,
'defaultClientScopes':
['web-origins', 'roles', 'profile', 'email'],
'optionalClientScopes':
['address', 'phone', 'offline_access', 'microprofile-jwt']
}))
client2_master = Client(
'client2', 'http://localhost:8080/auth/realms/master/client2', None)
client1_other = Client(
'client1', 'http://localhost:8080/auth/realms/other/client1',
ClientConfig(
'client1',
'http://localhost:8080/realms/other/clients-registrations/default/client1',
{
'id':
'899e2dc1-5fc0-4eaf-bedb-f81a3f9e9313',
'clientId':
'admin-cli',
'name':
'${client_admin-cli}',
'surrogateAuthRequired':
False,
'enabled':
True,
'alwaysDisplayInConsole':
False,
'clientAuthenticatorType':
'client-secret',
'redirectUris': [],
'webOrigins': [],
'notBefore':
0,
'bearerOnly':
False,
'consentRequired':
False,
'standardFlowEnabled':
False,
'implicitFlowEnabled':
False,
'directAccessGrantsEnabled':
False,
'serviceAccountsEnabled':
False,
'publicClient':
False,
'frontchannelLogout':
False,
'protocol':
'openid-connect',
'attributes': {},
'authenticationFlowBindingOverrides': {},
'fullScopeAllowed':
False,
'nodeReRegistrationTimeout':
0,
'defaultClientScopes':
['web-origins', 'roles', 'profile', 'email'],
'optionalClientScopes':
['address', 'phone', 'offline_access', 'microprofile-jwt']
}))
client2_other = Client('client2',
'http://localhost:8080/auth/realms/other/client2',
None)
# TODO: test when find vuln
assert scanner.mediator.scan_results.get(WrapperTypes.OPEN_REDIRECT) == {
OpenRedirect(master_realm, client1_master),
OpenRedirect(master_realm, client2_master),
OpenRedirect(other_realm, client1_other),
OpenRedirect(other_realm, client2_other),
# TODO: this is bad, url need conditions
OpenRedirect(master_realm, client1_other),
OpenRedirect(master_realm, client2_other),
OpenRedirect(other_realm, client1_master),
OpenRedirect(other_realm, client2_master),
}
assert scanner.mediator.scan_results.get(
WrapperTypes.FORM_POST_XSS) == set()
assert scanner.mediator.scan_results.get(
WrapperTypes.REALM_TYPE) == {master_realm, other_realm}
assert scanner.mediator.scan_results.get(
WrapperTypes.SECURITY_CONSOLE) == set()
assert scanner.mediator.scan_results.get(
WrapperTypes.WELL_KNOWN_TYPE) == {well_known_master, well_known_other}