Versions Compared

Old Version 31

changes.mady.by.user Former user

Saved on

compared with

New Version 32

changes.mady.by.user trscavo@ncsa.illinois.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: add anchor

...

  1. Track a victims activity because it is happening in their own session.
  2. Trick the victim into entering sensitive information into an attackers session/account e.g. bank account details etc.

Appendix A describes an example Login CSRF attack on the IdP.

...

  • The options above are not mutually exclusive. For example, a flow execution lister could be used to inject tokens into the SWF viewScope, while a profile action could be used to check it. Similarly, a profile action could be used to initialise a CSRF Context, an SWF action be used to add it to the viewScope, and a flow execution listener used to check it on ‘proceed’ transition.

Anchor
appendix-a
appendix-a
Appendix A - Login CSRF Example

Login CSRF Example

The following HTML form is an example of one which can be used by an attacker to post a username and password to the IdP. This is essentially that which is used by the IdP's login view, but pre-populated with a username and password of the attacker - whom must have an active account with the IdP's authentication source. 

...