Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: add anchor


  1. Track a victims activity because it is happening in their own session.
  2. Trick the victim into entering sensitive information into an attackers session/account e.g. bank account details etc.

Appendix A describes an example Login CSRF attack on the IdP.


  • The options above are not mutually exclusive. For example, a flow execution lister could be used to inject tokens into the SWF viewScope, while a profile action could be used to check it. Similarly, a profile action could be used to initialise a CSRF Context, an SWF action be used to add it to the viewScope, and a flow execution listener used to check it on ‘proceed’ transition.

Appendix A - Login CSRF Example

Login CSRF Example

The following HTML form is an example of one which can be used by an attacker to post a username and password to the IdP. This is essentially that which is used by the IdP's login view, but pre-populated with a username and password of the attacker - whom must have an active account with the IdP's authentication source.