Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
CSRF & SSO
Posted by: flatron
Date: December 12, 2007 08:49AM

It seems that as people use SSO solutions like pubcookie more and more for services that span throughout an institution, this infrastructure becomes more and more vulnerable to CSRF attacks.

Have the problems of CSRF & SSO been formally addressed somewhere? Are there any whitepapers? I'm googling but I can't seem to find anything useful...

Options: ReplyQuote
Re: CSRF & SSO
Posted by: rsnake
Date: December 13, 2007 08:32AM

Not that specific topic (it's more granular than what we normally talk about). Generally speaking (and what I've said hundreds of times) is you are no longer as vulnerable as you are with SSO but you are instead as vulnerable as the weakest link on the chain. And if the weakest link allows you to put up <IMG tags on the site, or can be easily social engineered into doing something stupid (phishing) then the whole system is theoretically vulnerable to the same thing. I do talk about SSO fairly regularly, if you are just trying to find some written material: http://ha.ckers.org/blog/?s=single+sign+on

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.