Table of Contents |
---|
Info | ||
---|---|---|
| ||
A more robust, and proper authN/authZ mechanism is being explored. |
Introduction and Context
Certain RESTful admin functions of the IdP e.g. account lockout, by default use IP authentication. Consequently, a Cross-Site Request Forgery (CSRF) attack would exploit the authorisation granted to the IP address of the users network host - from which the browser makes the request - to invoke certain admin functions cross site.
...