Hello everyone, I will be very brief in my story.
We recently tried to implement guacamole for about 2500 users or more. However, guacamole did not respond well to pen testing. The pen testing team has found a way to hijack the authToken, and connect to the guacamole interface of any other computers on the network. Guacamole was not approved because it is an environment with a high rate of fraud. The same team also explored the authToken flaw in the cameyo and glypto enterprise. One of the ways to exploit is to copy the "token" from the GUAC_AUTH cookie. Another way, is through the use of the REST API, using the callback-extension. We would very much like to approve guacamole at our institution, so I leave the question here: has anyone had the same problem or would you have ideas on how to protect guacamole against the authToken hijacking? Thank you all. Atte. Thiago
