Stealing tickets by installing a CAS-client on attacker's site?

Andrew Ralph Feller, afelle1 afelle1 at lsu.edu
Tue Oct 14 08:18:58 EDT 2008 

Gabriel,

As Dale mentioned, service tickets (ST) are generated by a specific CAS
server for a specific application URL (the service parameter specified when
users are redirected to CAS login servlet).  Normally these tickets are
expired after a single use, which is stated in the
WEB-INF/spring-configuration/ticketExpirationPolicies.xml, however it is
possible to reconfigure your CAS deployment to allow ST to be used for
validation multiple times.  I must speak a word of caution as I believe most
people do not use this feature, so don¹t take this as a recommendation to do
so.  If ST were allowed to be reused, it would be possible for someone to
get a hold of a ST and by knowing the URL of the application it was created
for, they could have it validated by the CAS server and get back the user¹s
username.

In summary, you shouldn¹t worry about the scenario as it should not occur.

HTH,
A 


On 10/14/08 5:05 AM, "Dale Ogilvie" <Dale.Ogilvie at trimble.co.nz> wrote:

> The ticket you get back from CAS will only be valid for your own site. If you
> attach it to another service url, it will be invalid when validated by the
> other service.
>  
> I think "service specific tickets" is the aspect of CAS that prevents stolen
> tickets from being useful, service tickets only compromise the service they
> are generated for.
> 
> 
> From: cas-bounces at tp.its.yale.edu on behalf of Gabriel Falkenberg
> Sent: Tue 14/10/2008 8:07 p.m.
> To: Yale CAS mailing list
> Subject: Stealing tickets by installing a CAS-client on attacker's site?
> 
> Hi, I'm probably just missing something here but I have a question
> regarding the standard configuration of the 3.3 CAS server. Using the
> standard configuration what stops the following from happening:
> 
> 1. I have a site which I know is visited by lots of students from a
> university that uses CAS
> 
> 2. I install a CAS filter on my own site using the university's CAS
> server in gateway mode which takes everyone to the CAS server and back
> transparently.
> 
> 3. The students that are logged in will bring back a ticket to my site
> so for every logged in student I get a ticket.
> 
> 4. I take the ticket and paste into the URL of a real university site
> which uses CAS.
> 
> 5. That site sends the ticket to the CAS server and I am logged in as
> the student I stole the ticket from.
> 
> I am sure some aspect of CAS stops the above from happening but which
> aspect is it? Does the standard configuration needs to be changed in
> order to prevent the above scenario?
> 
> Best Regards
> Gabriel Falkenberg
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
> 

-- 
Andrew R. Feller, Analyst
Information Technology Services
200 Fred Frey Building
Louisiana State University
Baton Rouge, LA 70803
(225) 578-3737 (Office)
(225) 578-6400 (Fax)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20081014/0227c2f6/attachment.html

More information about the cas mailing list