Shibboleth Developers

[Jim Fox <>]

> > > Our login screen has one button that says 'Log in'.  Possibly someone
> > > could be tricked into clicking that -- with an empty password.
> > > Seems like a lot of work on the attackers part for very little gain.
> > > I imagine the shib login screen is similar.
> >
> > One could also fill the username/password fields and make browsers
> > bruteforce the IdP login page. I recommend reading Paul Stone's "Next
> > Generation Clickjacking" presentation at BlackHat Europe 2010
> > (https://www.blackhat.com/html/bh-eu-10/bh-eu-10-archives.html#Stone)
> > for some nice attack ideas. ;)

It is not so hard to protect a login page from from xsrf.  This has to be 
done regardless of the iframe issue.

> Right - the attack could be to overlay your login button with an element
> that triggers a POST to http://all.your.passwords.are.belong.to.us

We tell our users to check the URL of the login page.  It they do that 
there won't be any iframe issues.  If they don't do that then a fake login 
page is the much easier attack path.

In any case the additional header would cause us no harm.

Jim