Hey Carl, you are right. The problem described is not a CSRF issue. Still, I wonder if users of CAS are aware of it. In the end it means that attackers can easily trigger any flow provided by CAS, right? That bugs me.
Before, I was under the assumption that the Webflow execution ID was used as nonce. But I was wrong as it can be reused even if the flow succeeded already... On Wednesday, April 21, 2021 at 10:54:03 PM UTC+2 waldbiec wrote: > Technically, that is not CSRF, but I understand the concern you have-- > phisher captures the username/password on their own form, and then sends > the credentials on to the legitimate site so the user is none the wiser. > > A nonce in this case wouldn't buy you too much if the user doesn't notice > they are at the wrong site. Consider the attacker could just POST to her > own site then redirect to the real site, leaving the user thinking she just > entered a typo in the username or password. Or the phisher could be > proxying the site, maybe using something like an sslstrip attack. In all > those cases, if the user hasn't noticed she wound up on > https://evil-site-that-looks-like-your.net/ she may be fooled into giving > up her credentials. > > A nonce is useful as CSRF protection in cases where you are already > authenticated to a site, so a bad actor can't trick you into doing > something that would normally require authentication. > > Historically, I believe CAS used to have a "login ticket" which was a > nonce. It dropped it somewhere between 3.x and 5.x, I believe. > > Thanks, > Carl Waldbieser > ITS > Lafayette College > > > On Wed, Apr 21, 2021 at 5:24 AM Paul Roemer <[email protected]> wrote: > >> >> Hey guys, >> >> we noticed that you can easily create your own login form with copied >> execution ID on any domain you might want to use for phishing attacks. As >> for the victim everything looks good (login is successful), detecting the >> attack is hard. >> >> >> Example form for the CAS demo server: >> <form action="https://casserver.herokuapp.com/cas/login"; method="POST"> >> <input type="hidden" name="username" value="casuser"> >> <input type="hidden" name="password" value="Mellon"> >> <input type="hidden" name="execution" >> value="4966e50b-191f-45e1-bab2-22e6304447c7_ZXlKaGJHY2lPaUpJVXpVeE1pSXNJblI1Y0NJNklrcFhWQ0o5Lk5NV1I3dHVicU1USWZqLW1kb1pnak8tWlctN21XRGVMTk1XMl9fMUczNktRemg4MHNRcEoycHFsa01uYkhGbkdUYmZPWkRmUDZfLXk0UTlLMXFVQjFOb05sbmRod3dPZF9ZS0ctc29BalItMzhlRXdNTXpmdFFTZTE5aEJwQXZVeHBnZGN5LVVtajhPRXFFbVlqRWtwUmpST2QzbC1sN3A4ZXkwU1dVWjBHZHFRMXpYSGRjc19Mc21UODZ0TFY3ZDdCd2dUTWxYZUFzUEotTFRzTGFud05rRjlzenRjVjFrd3dYemgxOU1aQ2lHSEMwWkJTVExGYWxxcGtQNTRQbFNJQ2g4azBmNXdjRGJYYmN3TEdFWmJwUFViS3dDZHFkdGg2NndKQ2pWZUM3R0loVzNfQWVjUWZnLXItU3o4S080MjlKMlN5TU40NlNtT0J5WXh1MnJ2RmZINDJFSm9iM0dOSzQzT0xiZWU1dHUzRzhna3NXRmRibkxWbk1LMXJfSEFnMWNXSC1sUGY2cU53c1liSXR6YlJ2WFlaVm1HUHdjN01XdEdqS09ObFpSNDNjS3hHbkp6UUFaUEZuWmo1LUUyNjlpX1ZuemloT0ZlVEx1SG1GcmRCbTFLb2kxTG9qbDF1ZGpfZkg1dHA2azFiLUQ2QzZibTZ3bTRxY1lZWU03SHlpNGJNYVMtNUVUcHpKbzdmX0E5bW9ZWmoyR0RSMVdxaXA4X2Z3RUpEZUd0eklVdVFJaVpVRUJqRW51RGZ2bFgzWkhva1g0WXU1eTNFUEd2LVpHNWhOSjc1STFFQjVtbE53ckpDdWJwQ2I0QWtMS0w5NXc3UGk5eHVrcFVVVVRpb01NOVVvRnhXMGZtMXAybTdEbFRPTko3Q080M09HcHo0RmRBNnBKRVJQeVd3SFZkOXA5UEhEaUo1b29ybGk0WUY0S1FmYUFQREJyMHZsSjlac0dhNlJSSHkzQnhIa05EMmg5bUlDUDZNZEpmLUhtTDMyWnM2Z2MyODlkZWYxdVlYMnlpMUFONlg3dTQ4R2k3cVd1aElZWnBVNDVTZENpQVp0ejIwWWk5NzFwUFlkamlnUG9UUmRrdDVzM0RHWDQ0ZnJZbnRFTjQxMjlDcDBscUJ0S2E1eGg5bHd5UGNsZW5rcVJYX3JTREk4VE9EUnRTWHRZYmhwMGxlZUVremtMVXVEdmVnVk0yMkNaOWdnUHJHR1ZCZGV3c0lBc0JoWGtoRzhzVUNtTk1HSjNNbHNfdzFRaUpSX3RHN2hMcUEwNVMzVlRrcUJGNEFnVUF2NktXN1hUMGtBNGxDcS1iNzZCR3JielZIMmhPODlTYng2ZUhQZjRDcFJ3VGZOS2dfVzFRdmU3NkVnZm55M3JXYjN6NWRJeXd0LVRvanhWalhPX1VDcnRybkN1MnhQbkpBVHpucnoxRUpIR3h6Ni1ONzB4aF82Z1FkVV9LNkl2VUd6Zm94WV9XSUZSd2VwVXZJLUNkb0FkY1l1VHItaW0zbnYtZFFFeC5DQkVnem5ieWpjVDlTeUl5alBUNkNmZWk2NWVydU1jU1lhQlZJS1daYTlkLXh5dkExdDdJWE5fdGNKSVQxVURWd3lJbUFPNEZTMlhDTWc1Z1VPa1pBUQ=="> >> <input type="hidden" name="_eventId" value="submit"> >> <input type="hidden" name="geolocation" value=""> >> <input type="submit" value="Submit request"> >> </form> >> >> Besides the CSRF issue, I also wonder why the same Spring Webflow >> execution ID can be used several times. Shouldn't the execution ID be >> deleted after reaching an end state of the flow? >> >> Cheers, >> Paul >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/822b9c4b-dfdd-4943-b40c-a99c890513e5n%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/822b9c4b-dfdd-4943-b40c-a99c890513e5n%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/94db1531-33d8-49f7-9b3d-6d5a0c7a44een%40apereo.org.
