We have an angular application available over the internet, we are using keycloak login page for the same and hence keycloak account is kept as Public. This result in access to keycloak application when user has logged in via angular application and attacked via forwarded-host url - https://mysite/auth/realms/keycloakaccount/account/?mode=qr&host_header=x-forwarded-host. If we make the keycloak account as confidential then we are not able to access the login page.
Vulnerability Class Improper Input Handling
Additional Information HostHeader,CWE-20
Custom Description The application uses the input coming from the Host or X-Forwarded-Host request headers as part of the response
without proper validation. Information from these headers should not be trusted as it is just another client side value an
attacker can tamper with which can result in unintended behavior
To reproduce the vulnerability follow these steps:
- Determine if the request discovered was placed authenticated or unauthenticated and login as necessary.
- Place the request from the URL in question
- Intercept the request using a proxy tool
- Modify the test header I.E. Host: or X-Forwarded-Host:
- Forward the edited request
- Search for site in the response and observe that the injection reflects
This demonstrates that the application is using the value of the “Host” or “X-Forward-Host” header in its response. This
is vulnerable behavior because the user can control the values of the request headers.