Certificate Injection: Difference between revisions

From Single Sign-On Attacks
Jump to navigation Jump to search
(Created page with "=Introduction= =Attack subtypes= =Prerequisites= =Target= =Description= =Mitigation / Countermeasures= =Practical Examples= =References= C. Mainka, V. Mladenov, F. Feld...")
 
No edit summary
Line 2: Line 2:


=Attack subtypes=
=Attack subtypes=
There are no attack subtypes for this attack.


=Prerequisites=
=Prerequisites=


=Target=
=Target=
[[File:Target_Session_Managment.jpg|centre|600px]] <br>
The attacked Single Sign-On component is marked in red colour. <br>
The attack uses the CSRF technique to enforce the victim to change changing configuration data without explicit user interaction.


=Description=
=Description=


=Mitigation / Countermeasures=
=Mitigation / Countermeasures=
Session Management schould include a protection against CSRF to mitigate the attack.


=Practical Examples=
=Practical Examples=
In 2014, Mainka et al. analyzed 22 Software as a Service cloud providers and found out, that different frameworks were vulnerable to this attack:
SAManage, Shiftplanning, BambooHR, IdeaScale, Howlr and CA Service Management.


=References=
=References=
C. Mainka, V. Mladenov, F. Feldmann, J. Krautwald, J. Schwenk (2014): Your Software at my Service: Security Analysis of SaaS Single Sign-On Solutions in the Cloud. In The ACM Cloud Computing Security Workshop (CCSW).
C. Mainka, V. Mladenov, F. Feldmann, J. Krautwald, J. Schwenk (2014): Your Software at my Service: Security Analysis of SaaS Single Sign-On Solutions in the Cloud. In The ACM Cloud Computing Security Workshop (CCSW).

Revision as of 17:01, 2 February 2016

Introduction

Attack subtypes

There are no attack subtypes for this attack.


Prerequisites

Target


The attacked Single Sign-On component is marked in red colour.

The attack uses the CSRF technique to enforce the victim to change changing configuration data without explicit user interaction.

Description

Mitigation / Countermeasures

Session Management schould include a protection against CSRF to mitigate the attack.

Practical Examples

In 2014, Mainka et al. analyzed 22 Software as a Service cloud providers and found out, that different frameworks were vulnerable to this attack: SAManage, Shiftplanning, BambooHR, IdeaScale, Howlr and CA Service Management.

References

C. Mainka, V. Mladenov, F. Feldmann, J. Krautwald, J. Schwenk (2014): Your Software at my Service: Security Analysis of SaaS Single Sign-On Solutions in the Cloud. In The ACM Cloud Computing Security Workshop (CCSW).