Keycloak vulnerabilities scanner
Project description
keycloak-scanner
Introduction
This scanner scan openid for known vulnerabilities
Installation
pip install keycloak-scanner
Example
keycloak-scanner http://localhost:8080 \ # url to test
--realms myorganisation \ # realms to scan
--clients mobile,webapp \ # clients to scan
--username tester@neuronaddict.org \ # add a username to test the auth process
--password P455w0rd \ # password to test a password auth
--fail-on-vuln \ # fail with an error code after tests if vulns
--proxy http://localhost:8080 \ # to usee a great proxy like burp :)
--ssl-noverify \ # don't check ssl certificates
Help
$ keycloak-scanner --help
usage: keycloak-scanner [-h] [--realms REALMS] [--clients CLIENTS] [--proxy PROXY] [--username USERNAME] [--password PASSWORD] [--ssl-noverify] [--verbose] [--no-fail] base_url
KeyCloak vulnerabilities scanner.
positional arguments:
base_url URL to scan. ex http://localhost:8080
optional arguments:
-h, --help show this help message and exit
--realms REALMS Comma separated list of custom realms to test
--clients CLIENTS Comma separated list of custom clients to test
--proxy PROXY Use a great proxy like BURP ;)
--username USERNAME If a username is specified, try to connect and attack a token. If no password, try username as password.
--password PASSWORD password to test with username
--ssl-noverify Do not verify ssl certificates
--verbose Verbose mode
--no-fail Always exit with code 0 (by default, fail with an exit code 4 if a vulnerability is discovered). Do NOT fail before all test are done.
By default, master realm is already tested.
Clients always tested : account, admin-cli, broker, realm-management, security-admin-console.
Scans :
- list realms
- Search well-known files
- Search for clients
- Search for security-admin-console and secret inside
- Search for open redirect via unvalidated redirect_uri
- Search for CVE-2018-14655 (reflected XSS)
- None alg in refresh token
Bugs, feature requests, request another scan, questions : https://github.com/NeuronAddict/keycloak-scanner.
*** Use it on production systems at your own risk ***
Install with source code
With venv:
cd keycloak-scanner
python3 -m venv venv
source venv/bin/activate
pip install -e . # with -e, git pull will update code
keycloak-scanner
Or without venv :
cd keycloak-scanner
sudo pip3 install . # use sudo for install for all users
keycloak-scanner
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
File details
Details for the file keycloak-scanner-1.0.1.tar.gz.
File metadata
- Download URL: keycloak-scanner-1.0.1.tar.gz
- Upload date:
- Size: 8.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.4.1 importlib_metadata/4.0.1 pkginfo/1.7.0 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.60.0 CPython/3.7.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 7eefadec40660095d47a2af469ccf06f3eba18dac4602fd129c5766bf10b4a06 |
|
| MD5 | ed7cb1df9da8143585809131cd2c0e4a |
|
| BLAKE2b-256 | 1b9e7e6b8be9888be4dc49cb778beda39676d759a5a752e207fceaaae2dd122d |
