Category:Attack Categorisation By Attacker Model: Message generation attacks and Certificate Injection: Difference between pages

From Single Sign-On Attacks
(Difference between pages)
Jump to navigation Jump to search
No edit summary
 
No edit summary
 
Line 1: Line 1:
The messages can contain no secret information and any publicly avialable data. To carry them out, one uses only publicly available information as well as SAML elements ''Identity (I)'', ''Freshness (F)'' and ''Destination (D)''. The attacker uses  his own key material for generation of tokens.
=Introduction=


[[File:MA1_.jpg|centre]]
=Attack subtypes=
There are no attack subtypes for this attack.


==Part of main category:==
 
*[[:Category:Attack_Categorisation_By_Attacker_Model]]
=Prerequisites=
[[Category:Attack_Categorisation_By_Attacker_Model]]
 
=Target=
[[File:Target_Session_Managment.jpg|centre|600px]] <br>
The attacked Single Sign-On component is marked in red colour. <br>
 
The attack uses the CSRF technique to enforce the victim to change changing configuration data without explicit user interaction.
 
=Description=
 
=Mitigation / Countermeasures=
Session Management schould include a protection against CSRF to mitigate the attack.
 
=Practical Examples=
In 2014, Mainka et al. analyzed 22 Software as a Service cloud providers and found out, that different frameworks were vulnerable to this attack:
SAManage, Shiftplanning, BambooHR, IdeaScale, Howlr and CA Service Management.
 
=References=
C. Mainka, V. Mladenov, F. Feldmann, J. Krautwald, J. Schwenk (2014): Your Software at my Service: Security Analysis of SaaS Single Sign-On Solutions in the Cloud. In The ACM Cloud Computing Security Workshop (CCSW).

Revision as of 18:01, 2 February 2016

Introduction

Attack subtypes

There are no attack subtypes for this attack.


Prerequisites

Target


The attacked Single Sign-On component is marked in red colour.

The attack uses the CSRF technique to enforce the victim to change changing configuration data without explicit user interaction.

Description

Mitigation / Countermeasures

Session Management schould include a protection against CSRF to mitigate the attack.

Practical Examples

In 2014, Mainka et al. analyzed 22 Software as a Service cloud providers and found out, that different frameworks were vulnerable to this attack: SAManage, Shiftplanning, BambooHR, IdeaScale, Howlr and CA Service Management.

References

C. Mainka, V. Mladenov, F. Feldmann, J. Krautwald, J. Schwenk (2014): Your Software at my Service: Security Analysis of SaaS Single Sign-On Solutions in the Cloud. In The ACM Cloud Computing Security Workshop (CCSW).

Pages in category "Attack Categorisation By Attacker Model: Message generation attacks"

The following 4 pages are in this category, out of 4 total.

C

S

X

Retrieved from "http://www.ws-attacker.de/index.php?title=Category:Attack_Categorisation_By_Attacker_Model:_Message_generation_attacks&oldid=353"