Login absence of anti CSRF token

nmanthena18 · October 15, 2024, 4:16am

Hello All,

We ran the DAST on keycloak instance, we got the below security suggestions, I am not sure keycloak already enabled CSRF? if yes how we can confirm that its enable and with evidences like in header/request/cookies.

Description
CSRF (Cross-Site Request Forgery) exploits trust between a user’s browser and a web application,

allowing attackers to perform unauthorized actions. In a login scenario, an attacker tricks a user into

submitting a form that logs them into the attacker’s account without consent.

Impact
The impact of CSRF in a login context can be severe, leading to unauthorized access, data breaches, and

account takeover. Users may unknowingly perform actions that compromise their security,

Recommendation
To prevent CSRF attacks, use unique tokens for forms, set “SameSite” attributes on cookies, implement

CSRF Tokens and validate the Referrer header.

ben.overcash · October 15, 2024, 1:20pm

Keycloak’s login flow complies with OAuth 2.0 state cookie requirement and implements a double-submit pattern with a state cookie. Cross-Site Request Forgery Prevention - OWASP Cheat Sheet Series

This state cookie is named OAuth_Token_Request_State for OIDC logins.

The Admin Console also creates a state cookie and embeds it into forms to do the same check. Server Administration Guide

I hope this helps.

nmanthena18 · October 16, 2024, 4:45am

@ben.overcash Thanks for your response and sharing required docs.

Topic		Replies	Views
Keycloak CSRF Attack	0	110	November 22, 2024
CSRF Attacks Token	0	512	February 14, 2020
Oidc logout endpoint CSRF protection Securing applications oidc	0	565	March 31, 2020
Does keycloak handle CSRF protection in it's token handling? Securing applications	0	626	May 14, 2020
SSO login issue Securing applications authentication , oidc	2	770	May 17, 2023

Login absence of anti CSRF token

Related topics