search

keycloak / keycloak

Open Source Identity and Access Management For Modern Applications and Services
https://www.keycloak.org
Apache License 2.0
23.69k stars 6.79k forks source link

Make CSS-links absolute instead of relative to prevent PRSSI attacks #18032

Closed foliengriller closed 2 years ago

foliengriller commented 2 years ago

Description

We use a security-scanner to automatically detect security-problems. The scanner complained about the following: Relative URLs can be dangerous since browser may not determine the correct directory. If the HTML uses path-relative CSS links, it may be susceptible to path-relative stylesheet import (PRSSI) vulnerabilities. This could allow an attacker to take advantage of CSS imports with relative URLs by overwriting their target file. References: Evil CSS Injection Relative Path Overwrite Attack Research paper: Large-Scale Analysis of Style Injection by Relative Path Overwrite

Impact An attacker may trick browsers into importing JavaScript or HTML code as a stylesheet. This has been shown to enable a number of different attacks, including cross-site scripting (XSS) and exfiltration of CSRF tokens.

Solution It is recommended to use absolute URLs for CSS imports. Alternately you can add the HTML "base" tag in the document which defines the base URL or target location for all the relative URLs.

Discussion

No response

Motivation

No response

Details

No response

jonkoops commented 2 years ago

Would this attack vector not already mean that the attacker has access to the system? At that point they could pretty much already load arbitrary code from anywhere.

foliengriller commented 2 years ago

If I understand the linked examples correctly, the security-problem can only occur in combination with other vulnerabilities like XSS. I am also pretty sure that it is not very likely this can be exploited in the wild. But it would make my (and probably some others) life easier, if these scanners would not complain about such "problems". And I hope that it is not that complicated to use absolute URLs for CSS or add a base tag.

ssilvert commented 2 years ago

We do need to make the scanners happy if we can. Also, I'll pass this on to the security team for evaluation.

jonkoops commented 2 years ago

Adding a base tag should not be too much of a hassle. @ssilvert I think we should seriously consider setting up a Content Security Policy if we want to reduce attack vectors such as Cross-Site Scripting.

jonkoops commented 2 years ago

Created a PR (#3443) to address this. @foliengriller could you let me know if this appeases your security scanner?

foliengriller commented 2 years ago

Hi @jonkoops, thank you for the quick patch. It is not that easy for me to put this change to a place, where the scanner can find it. But I will try my best and give feedback. But it will take some time...

jonkoops commented 2 years ago

@foliengriller if you wait for the next nightly to be released you should be able to test this by downloading Keycloak from the releases tab of the main repo.

LakshmiPhani7680 commented 6 months ago

Hi @ssilvert or @jonkoops or @foliengriller or @abbra or @wuwx -> whomever responds it would be great help, like i have got this Path-relative stylesheet import vulnerability in keycloak 24 version, can you please let me know whether this was resolved in the latest or is there anyway that i can resolve this in this version itself. Thank you

foliengriller commented 6 months ago

@LakshmiPhani7680 - basically this was fixed by adding the <base href="[./]"> to the templates. This should imho prevent the attack, see links above. But of course, not all scanners are satisfied by this solution...

LakshmiPhani7680 commented 6 months ago

Hi @foliengriller , Thank you so much for the response, i am using the custom themes which contains the .ftl and css files and also contains .properties files where i have included the path to the css files, so how can i add this tag or any alternative for this or on which version it was fixed as i said i am using version 24. Kindly respond, Thank you.