After testing I now realize that the ST could be used by another server as long as the service URL is correct in the serviceValidate call. I assume this is because the CAS server does not initiate the call so it can only send back a response if the ticket and service params match up.
Please correct me if my thinking is off either way. On Wed, Oct 22, 2014 at 10:14 AM, Adam Causey <[email protected]> wrote: > I understand the risk that proxying could pose by allowing non-https and > retrieving a service ticket. > > However, thinking about this additionally, is there actually a risk if > someone intercepted a ST for a non-proxy service? Doesn't CAS only send > the attributes back to the URL that was given the ticket? > > Let's say someone logs in and CAS sends an ST to > http://xyz.com/ticket=ST-123 and it is intercepted. The attacker would > send a request to > https://thecasserver.com/cas/serviceValidate?ticket=ST-123&service=http://xyz.com > , but CAS would send the attributes back to http://xyz.com, correct? If > the attacker sent a different URL as the service then the validation would > fail. > > > On Wed, Oct 22, 2014 at 9:38 AM, Jérôme LELEU <[email protected]> wrote: > >> Hi, >> >> Yes, using http can allow an attacker to steal a ST and try to use it >> before the real user (the ST can only be used once). It's a problem, but >> it's "just" one access / application. >> >> Big troubles come into play if the service allows proxy because this >> time, the attacker could get a real SSO session. That's why by default, >> services are not allowed to proxy in CAS 4.0. >> >> The proxy option should be enabled only when it's *really* necessary. >> >> Best regards, >> Jérôme >> >> >> >> Jérôme LELEU >> Founder of CAS in the cloud: www.casinthecloud.com | Twitter: @leleuj >> Chairman of CAS: www.jasig.org/cas | Creator of pac4j: www.pac4j.org >> >> 2014-10-22 15:25 GMT+02:00 Adam Causey <[email protected]>: >> >>> I would like some feedback on how others handle services that are >>> non-https (i.e. http://). Do most of you allow or disallow this? >>> Currently we allow non-SSL sites for some services, but are considering >>> requiring https for everything except locahost for developers. >>> >>> How much of a security concern is this? The only thought I have is that >>> the Service Ticket could potentially be sniffed and used, even though there >>> is only a 10 second window to use the ticket. >>> >>> Thanks! >>> >>> Adam Causey >>> Virginia Commonwealth University >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >> -- >> You are currently subscribed to [email protected] as: [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
