The ticket you get back from CAS will only be valid for your own site. If you attach it to another service url, it will be invalid when validated by the other service. I think "service specific tickets" is the aspect of CAS that prevents stolen tickets from being useful, service tickets only compromise the service they are generated for.
________________________________ From: [EMAIL PROTECTED] on behalf of Gabriel Falkenberg Sent: Tue 14/10/2008 8:07 p.m. To: Yale CAS mailing list Subject: Stealing tickets by installing a CAS-client on attacker's site? Hi, I'm probably just missing something here but I have a question regarding the standard configuration of the 3.3 CAS server. Using the standard configuration what stops the following from happening: 1. I have a site which I know is visited by lots of students from a university that uses CAS 2. I install a CAS filter on my own site using the university's CAS server in gateway mode which takes everyone to the CAS server and back transparently. 3. The students that are logged in will bring back a ticket to my site so for every logged in student I get a ticket. 4. I take the ticket and paste into the URL of a real university site which uses CAS. 5. That site sends the ticket to the CAS server and I am logged in as the student I stole the ticket from. I am sure some aspect of CAS stops the above from happening but which aspect is it? Does the standard configuration needs to be changed in order to prevent the above scenario? Best Regards Gabriel Falkenberg _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
<<winmail.dat>>
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
