Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security issue in validate #7

Open
ghost opened this issue Feb 26, 2012 · 3 comments
Open

Security issue in validate #7

ghost opened this issue Feb 26, 2012 · 3 comments

Comments

@ghost
Copy link

ghost commented Feb 26, 2012

Fairly sure that 'validate' should check that the ticket and service parameters match. Currently if once service gets a service ticket, it can then provide that ticket to another service and impersonate the user.
@ghost
Copy link
Author

ghost commented Mar 2, 2012

Surly the service is required to be the URL of the service hosting the
application by the fact that the login view redirects there. If you supply
an invalid URL the application would never get the service ticket in the
first place.

Consider the following:

  1. You are logged into your applications via your CAS provider.
  2. You are then browsing the web and come to my page.
  3. My page uses an iframe to request your login supplying a new service
    URL.
  4. My service URL receives a service ticket associated with your username.
  5. I then use my browser to send that service ticket to your protected
    application.
  6. Your application then validates the ticket and confirms I am in fact
    you!

If as I suggest validate checked that the ticket matched the service then
this impersonation would not be possible. If I used your service URL in
step 3 I could never get the ticket, and if I supplied my URL then the
validation would fail at step 6.

@AndreLouisCaron
Copy link
Contributor

In case this applies to my earlier comment, I deleted it after re-checking the CAS specification because I had forgotten some details. You're right.

@AndreLouisCaron
Copy link
Contributor

Note that if you can intercept the service ticket, it's likely you're also capable of intercepting the original service URL. Since the validation does not redirect, anyone can safely falsify the service URL during validation and use the intercepted service URL.

Validating that the service URL matches the original service URL only protects against the use case in which both of the following are true:

  1. the attacker intercepted the HTTP response containing service ticker identifier, but not the HTTP request containing the service URL.
  2. the attacker validates the service ticket before the application does

I agree that this should be fixed, but it's unlikely to be a real security issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@AndreLouisCaron