On Tue, 19 Mar 2013, Michael Easthope wrote:
Its an edge case but if you can trick a user into logging in AND you
control the http flow (eg if you are running a malicious mobile application
that pretends to be a legitimate app) you can intercept the redirect URL
that comes back from a successful sign-in. That redirect URL contains both
the service URL and the service ticket - with that you can generate a
samlValidate request and obtain the user details - something we only want
to be releasing to our own applications.
Let's see if I understand:
1. User goes to https://yoursite
2. User is redirected to CAS for login
3. User authenticates and is redirected back to https://yoursite
4. Something executes a Man-In-The-Middle attack to change the redirect to
https://badsite?
That doesn't make sense because SSL should be preventing MITM attacks.
Or are you saying there is a mobile application (not a browser) that is
talking to https://yoursite?
Wouldn't the CAS Services Registry matching rules allow you to specify
which sites are allowed? Or are we talking about a proxying situation?
Andy
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
