Shibboleth Developers

[Leif Johansson <>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/29/2010 10:49 AM, Etienne Dysli wrote:
> Jim Fox wrote:
>> Our login screen has one button that says 'Log in'.  Possibly someone
>> could be tricked into clicking that -- with an empty password.
>> Seems like a lot of work on the attackers part for very little gain.
>> I imagine the shib login screen is similar.
> 
> One could also fill the username/password fields and make browsers
> bruteforce the IdP login page. I recommend reading Paul Stone's "Next
> Generation Clickjacking" presentation at BlackHat Europe 2010
> (https://www.blackhat.com/html/bh-eu-10/bh-eu-10-archives.html#Stone)
> for some nice attack ideas. ;)

Right - the attack could be to overlay your login button with an element
that triggers a POST to http://all.your.passwords.are.belong.to.us
        
        Cheers Leif

        
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkxRQZYACgkQ8Jx8FtbMZneD9ACeIOprydkB1cuDA6PzMUsr56sN
Nq0An23SjgvhlZD7BkLyuJ5EUOQE7tqU
=WVrK
-----END PGP SIGNATURE-----