CSRF FlowExecutionListener testing for CAS

Purpose

Following on from CSRF Mitigation Options, here we test that the CsrfFlowExecutionListener[1] CSRF synchroniser token pattern mitigation works when using the IdP as a CAS server.

Views


The following CAS views have been tested with CSRF protection enabled.


View NameDescriptionRequires CSRF protection e.g. uses HTML Form POST to the IdP
footer.vmXML cas service response footerNo
header.vmXML cas service response headerNo
logoutService.vmPropogates a CAS logout to the SPNo/Yes. Main form is posted to the SP with a SAML 2 logout request hence CSRF token is not required. However, the underlaying flow itself is finalised by directing the propagation iFrame back to the IdP and resuming the conversation. This is done by modifying the iFrame src, and requires the CSRF token in the URL set into the sessionStorage e.g. see U1. Alternatively you could exclude this view (ShowServiceLogoutView) from CSRF protection - probably makes sense.
postBack.vmWhen service ticket request method is POSTNo. Main form is posting the service ticket to the SP, hence an CSRF token is not required from the IdP.
proxyFailure.vmXML cas proxy failure responseNo
proxySuccess.vmXML cas proxy success responseNo
validateFailure.vmXML cas authentication failure responseNo
validateSuccess.vmXML cas authentication success responseNo


U1

Modify the script in the CAS logoutService.vm to include the csrftoken:


<script>
    if (typeof(Storage) !== "undefined") {
        sessionStorage.setItem("$logoutPropCtx.sessionKey", "$flowExecutionUrl&_eventId=proceed&${csrfToken.parameterName}=${csrfToken.token}");
    }
</script>