> However, for #2, I have a hard time seeing how the server would allow you to > request a ticket for A and then use it for B.
Both attacks are really the same with different origins. While it's not appropriate to provide an attack sequence here, I encourage you to continue thinking about this with URL encoding in mind. The client is guilty of accepting unvalidated input, and the ticket validation request can be made to look legitimate to the CAS sever when in fact it violates the service/ticket pairing. > Is the idea that the client is *really* requesting a ticket for B in the > first place? No. It's tricking B to send a ticket validation request for A. The prerequisite is a legitimate ticket for A. The trick is to make B use A's service URL with the legitimate ticket for A. That would not be possible if the client URL encoded request parameters properly. M -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user