running ZAP against Keycloak?
Douglas A. Whitfield
douglasawh at gmail.com
Wed May 5 21:36:12 UTC 2021
Ok, this is not a Linux question, per se, though I'm not sure Keycloak
runs on anything else. For those of you not in Javaland, the
reference: https://www.keycloak.org/
ZAP in this context: https://www.zaproxy.org/
Idk why it is named a proxy. It's a security scanner.
Here's the issue:
There's an endpoint at http://localhost:8081/auth/admin/serverinfo
that leaks information. I'm not convinced his is actually an issue, as
you can see if requires authentication, but unnamed individuals think
that giving the Keycloak admins information about the server on which
keycloak resides is an issue.
We have already modified the UI to remove the server Info from the top
right menu option. However, we can see the server info call happening
via XHR.
Has anyone come across an issue like this? Do later versions of
Keycloak have this issue? I'm about to find this out for myself, but
I thought perhaps someone would have some experience on the matter.
More information about the Ubuntu-us-wi
mailing list