Certificate Injection

From Single Sign-On Attacks
Revision as of 18:01, 2 February 2016 by Anna (talk | contribs)
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Introduction

Attack subtypes

There are no attack subtypes for this attack.


Prerequisites

Target


The attacked Single Sign-On component is marked in red colour.

The attack uses the CSRF technique to enforce the victim to change changing configuration data without explicit user interaction.

Description

Mitigation / Countermeasures

Session Management schould include a protection against CSRF to mitigate the attack.

Practical Examples

In 2014, Mainka et al. analyzed 22 Software as a Service cloud providers and found out, that different frameworks were vulnerable to this attack: SAManage, Shiftplanning, BambooHR, IdeaScale, Howlr and CA Service Management.

References

C. Mainka, V. Mladenov, F. Feldmann, J. Krautwald, J. Schwenk (2014): Your Software at my Service: Security Analysis of SaaS Single Sign-On Solutions in the Cloud. In The ACM Cloud Computing Security Workshop (CCSW).

Retrieved from "http://www.ws-attacker.de/index.php?title=Certificate_Injection&oldid=353"