Keycloak's UMA implementation seems tricky to me.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2025/03/18/uma-malicious-as/", "title": "Malicious authorization server attack in UMA\u00a02.0", "url": "https://www.gabriel.urdhr.fr/2025/03/18/uma-malicious-as/", "date_published": "2025-03-18T21:23:51+01:00", "date_modified": "2025-03-18T21:23:51+01:00", "tags": ["computer", "protocol", "web", "security", "oauth", "uma"], "content_html": "In a previous post,\nI described a pass-the-permission-ticket vulnerability in UMA\u00a02.0\nin which a malicious UMA resource server\ncould kindly ask a UMA client\nto give it access tokens actually intended for another UMA resource server.\nIn this post,\nI am describing a similar attack when the authorization server is malicious.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2025/03/18/uma-pass-the-permission-token/", "title": "Pass-the-permission-ticket vulnerability in UMA\u00a02.0", "url": "https://www.gabriel.urdhr.fr/2025/03/18/uma-pass-the-permission-token/", "date_published": "2025-03-18T21:23:50+01:00", "date_modified": "2025-03-18T21:23:50+01:00", "tags": ["computer", "protocol", "web", "security", "oauth", "uma"], "content_html": "In the User-Managed Access (UMA) 2.0 protocol,\na malicious resource server (or a malicious server acting as a resource server)\ncan obtain a requesting party (access) token (RPT)\nintended for another UMA resource server\nfrom a UMA client\nby passing a permission ticket obtained from the target resource server to the UMA client.\nThis can compromise the privacy (confidentiality)\nand integrity of UMA protected resources.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2024/10/22/websub-sequence-diagram/", "title": "WebSub sequence diagram", "url": "https://www.gabriel.urdhr.fr/2024/10/22/websub-sequence-diagram/", "date_published": "2024-10-22T00:00:00+02:00", "date_modified": "2024-10-22T00:00:00+02:00", "tags": ["computer", "web", "websub"], "content_html": "A sequence diagram for WebSub (formerly PubSubHubbub).
\n"}, {"id": "http://www.gabriel.urdhr.fr/2024/09/08/on-ad-blockers/", "title": "The FBI recommends using ad blockers", "url": "https://www.gabriel.urdhr.fr/2024/09/08/on-ad-blockers/", "date_published": "2024-09-08T00:00:00+02:00", "date_modified": "2024-09-08T00:00:00+02:00", "tags": ["computer", "web", "security", "privacy"], "content_html": "An interesting note from the FBI.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2024/06/17/uma2-diagrams/", "title": "UMA 2.0 diagrams", "url": "https://www.gabriel.urdhr.fr/2024/06/17/uma2-diagrams/", "date_published": "2024-06-17T00:00:00+02:00", "date_modified": "2024-06-17T00:00:00+02:00", "tags": ["computer", "protocol", "web", "security", "oauth", "uma"], "content_html": "Some diagrams (mostly sequence diagrams) about UMA 2.0.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2023/03/07/mime-type-spoofing/", "title": "MIME-type spoofing in Firefox/Thunderbird and file managers", "url": "https://www.gabriel.urdhr.fr/2023/03/07/mime-type-spoofing/", "date_published": "2023-03-07T00:00:00+01:00", "date_modified": "2023-03-07T00:00:00+01:00", "tags": ["computer", "web", "security", "vulnerability", "firefox", "freedesktop", "thunderbird"], "content_html": "An interesting spoofing attack\nresulting from the interaction\nbetween Firefox (or Thunderbird)\nMIME types handling and file managers.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2023/02/28/rce-file-association-debian-mono/", "title": "Code execution through MIME-type association of Mono interpreter", "url": "https://www.gabriel.urdhr.fr/2023/02/28/rce-file-association-debian-mono/", "date_published": "2023-02-28T00:00:00+01:00", "date_modified": "2023-02-28T00:00:00+01:00", "tags": ["computer", "web", "security", "vulnerability", "debian", "freedesktop", "mono"], "content_html": "A dangerous file type association in Debian\nwhich could be used to trigger arbitrary code execution.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2023/02/06/oauth2-diagrams/", "title": "OAuth 2.x and OpenID Connect sequence diagrams", "url": "https://www.gabriel.urdhr.fr/2023/02/06/oauth2-diagrams/", "date_published": "2023-02-06T00:00:00+01:00", "date_modified": "2026-01-09T11:59:47+01:00", "tags": ["computer", "protocol", "web", "security", "oauth", "openid-connect", "keycloak"], "content_html": "Some sequence diagrams about OAuth 2.x and OpenID Connect.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2022/05/05/browser-mediated-attacks-on-webdriver/", "title": "Browser-based attacks on WebDriver implementations", "url": "https://www.gabriel.urdhr.fr/2022/05/05/browser-mediated-attacks-on-webdriver/", "date_published": "2022-05-05T00:00:00+02:00", "date_modified": "2022-05-05T00:00:00+02:00", "tags": ["computer", "security", "web", "vulnerability", "webdriver", "firefox", "dns-rebinding", "csrf"], "content_html": "Some context and analysis about attacks on\nin WebDriver implementations.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2022/02/26/tls1.3-intro/", "title": "Introduction to TLS v1.3", "url": "https://www.gabriel.urdhr.fr/2022/02/26/tls1.3-intro/", "date_published": "2022-02-26T00:00:00+01:00", "date_modified": "2024-11-23T01:15:07+01:00", "tags": ["computer", "web", "network", "tls", "cryptography"], "content_html": "Some notes about how TLS v1.3 works.\nThis is a follow-up of the previous episode\nabout TLS v1.2.\nAs before, the goal is to have a high-level overview\nabout how the protocol works,\nwhat is the role of the different messages\nand be able to understand (and debug) a network traffic dump.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2022/02/07/selenium-standalone-server-csrf-dns-rebinding-rce/", "title": "CSRF and DNS-rebinding to RCE in Selenium Server (Grid)", "url": "https://www.gabriel.urdhr.fr/2022/02/07/selenium-standalone-server-csrf-dns-rebinding-rce/", "date_published": "2022-02-07T22:15:00+01:00", "date_modified": "2022-02-07T22:15:00+01:00", "tags": ["computer", "security", "web", "vulnerability", "webdriver", "csrf", "dns-rebinding"], "content_html": "Vulnerabilities in found on the WebDriver\nendpoints of Selenium Server (Grid).
\n"}, {"id": "http://www.gabriel.urdhr.fr/2022/02/07/geckodriver-dns-rebinding-rce/", "title": "DNS rebinding vulnerability to RCE in GeckoDriver", "url": "https://www.gabriel.urdhr.fr/2022/02/07/geckodriver-dns-rebinding-rce/", "date_published": "2022-02-07T22:10:00+01:00", "date_modified": "2022-02-07T22:10:00+01:00", "tags": ["computer", "security", "web", "vulnerability", "webdriver", "firefox", "dns-rebinding"], "content_html": "A DNS rebinding vulnerability I found in\nGeckoDriver which could be used to execute arbitrary shell commands.\nThis is bug #1652612\nand CVE-2021-4138.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2021/11/30/tls1.2-intro/", "title": "Introduction to TLS v1.2", "url": "https://www.gabriel.urdhr.fr/2021/11/30/tls1.2-intro/", "date_published": "2021-11-30T00:00:00+01:00", "date_modified": "2024-11-23T01:15:07+01:00", "tags": ["computer", "web", "network", "tls", "cryptography"], "content_html": "Some notes\nabout how TLS v1.2\n(Transport Layer Security) works.\nThe goal explain what is going on in a network traffic dump,\nthe role of the different TLS extensions,\nthe impact of the different cipher suites on security, etc.\nIt includes several diagrams and many references.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2021/08/16/chromedriver-cross-origin-request-forgery-rce/", "title": "Cross-origin/same-site request forgery to RCE in chromedriver", "url": "https://www.gabriel.urdhr.fr/2021/08/16/chromedriver-cross-origin-request-forgery-rce/", "date_published": "2021-08-16T23:22:56+02:00", "date_modified": "2022-02-13T23:19:32+01:00", "tags": ["computer", "security", "web", "vulnerability", "webdriver", "csrf"], "content_html": "I found a cross-origin/same-site request forgery vulnerability\nin chromedriver.\nIt was rejected (won't fix) because it is only\npossible to trigger this from the cross-origin/same-site and not cross-site.\nIn practice, it means it is really only possible to trigger this from another\nlocalhost-bound web application.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2021/08/16/geckodriver-csrf-rce/", "title": "CSRF to RCE in GeckoDriver", "url": "https://www.gabriel.urdhr.fr/2021/08/16/geckodriver-csrf-rce/", "date_published": "2021-08-16T23:00:48+02:00", "date_modified": "2021-08-16T23:00:48+02:00", "tags": ["computer", "security", "web", "vulnerability", "webdriver", "firefox", "csrf"], "content_html": "A Cross-Site Request Forgery (CSRF) vulnerability I found in\nGeckoDriver which could be used to execute arbitrary shell commands.\nCVE-2020-15660\nhas been assigned to this vulnerability.\nThis was fixed by GeckoDriver v0.27.0\nin 2020-07-27.\nThis is bug #1648964.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2021/04/05/firefox-doh-dns-rebinding-protection-bypass/", "title": "Firefox DoH DNS rebinding protection bypass using IPv4-mapped addresses", "url": "https://www.gabriel.urdhr.fr/2021/04/05/firefox-doh-dns-rebinding-protection-bypass/", "date_published": "2021-04-05T00:00:00+02:00", "date_modified": "2021-04-05T00:00:00+02:00", "tags": ["computer", "security", "vulnerability", "web", "dns-rebinding", "firefox"], "content_html": "I found that\nthe filtering of private IPv4 addresses\nin the DNS-over-HTTPS (DoH) implementation of Firefox could by bypassed.\nThis is CVE-2020-26961\nand Mozilla bug 1672528.\nIt has been fixed in Firefox 83,\nFirefox ESR 78.5\nand Thunderbird 78.5.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2020/09/23/dns-rebinding-freebox/", "title": "DNS rebinding vulnerabilities in Freebox", "url": "https://www.gabriel.urdhr.fr/2020/09/23/dns-rebinding-freebox/", "date_published": "2020-09-23T00:00:00+02:00", "date_modified": "2020-09-23T00:00:00+02:00", "tags": ["computer", "security", "vulnerability", "web", "upnp", "dns-rebinding", "csrf", "device"], "content_html": "I found some DNS rebinding vulnerabilities in Freebox devices\n(CVE-2020-24374,\nCVE-2020-24375,\nCVE-2020-24376,\nCVE-2020-24377)\nas well as a Cross Site Request Forgery (CSRF) vulnerability\n(CVE-2020-24373).\nThese vulnerabilities were fixed in 2020-08-05.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2019/02/12/yunohost-rce-csrf/", "title": "Remote code execution via cross site request forgery in InternetCube and YunoHost", "url": "https://www.gabriel.urdhr.fr/2019/02/12/yunohost-rce-csrf/", "date_published": "2019-02-12T00:00:00+01:00", "date_modified": "2019-02-12T00:00:00+01:00", "tags": ["computer", "web", "security", "yunohost", "csrf", "vulnerability"], "content_html": "How I found remote code execution vulnerabilities\nvia Cross Site Request Forgery (CSRF)\non the administration interfaces\nof InternetCube applications\nand of the YunoHost administration interface\nwhich could have been used to execute arbitrary code as root.\nThese vulnerabilities were fixed in YunoHost 3.3, OpenVPN Client app 1.3.0.\nand YunoHost 3.4.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2018/11/22/south-park-ip-address-spoofing/", "title": "IP address spoofing in order to watch South Park", "url": "https://www.gabriel.urdhr.fr/2018/11/22/south-park-ip-address-spoofing/", "date_published": "2018-11-22T00:00:00+01:00", "date_modified": "2018-11-22T00:00:00+01:00", "tags": ["computer", "web", "hack", "firefox"], "content_html": "Trying to bring back some old IP spoofing Firefox extension\nfor watching South Park episodes.
\n"}, {"id": "http://www.gabriel.urdhr.fr/2015/07/04/html-pipeline-middleman/", "title": "Use HTML pipeline in Middleman", "url": "https://www.gabriel.urdhr.fr/2015/07/04/html-pipeline-middleman/", "date_published": "2015-07-04T00:00:00+02:00", "date_modified": "2015-07-04T00:00:00+02:00", "tags": ["computer", "middleman", "ruby", "html", "emoji", "markdown", "web"], "content_html": "How to use html-pipeline in\nmiddleman.