CAS 4.1.X Cross-Frame Scripting/Clickjacking prevention?
114 views
Skip to first unread message
Yan Zhou
Aug 19, 2016, 11:49:13 AM8/19/16
to CAS Community
Hi,
We are running CAS 4.1.9 overlay. Our security team, after app scanning, has reported that CAS has a security vulnerability: Cross-frame scripting which allows clickjacking. Basically, CAS allows itself to be framed in another app.
If I understand it correctly, an attacker will use iframe to frame the login page, overlay the UI elements on Login form. User types in user credential and click on Login, but, the credential is submitted first to attacker's server, then, the form is submitted again to CAS server. User gets in, he won't see difference, but the attacker already has user credentials.
Their solution is to X-Frame-Option header on web server, that is quite simple, no code change.
Is this a vulnerability? It sounds so to me.
is there a list of things that we need to do in order secure CAS? I did not see any mention of this on CAS Security Guide page.
Thanks,
Yan
Misagh Moayyed
Aug 19, 2016, 4:50:53 PM8/19/16
to CAS Community
You may need to bump the CAS security filter to the latest version, and use filters it provides to set that option. Later CAS versions I suspect do that already by default.
--
Misagh
Misagh
--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/97d44090-7d5d-4a49-a345-fb880a99fa5b%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
Yan Zhou
Aug 26, 2016, 3:06:36 PM8/26/16
to CAS Community, mmoa...@unicon.net
Hi,
Can you elaborate? Is this a filter on client side or server side? Which filter is this?
Thx,
Yan
Misagh Moayyed
Aug 29, 2016, 11:13:15 AM8/29/16
to CAS Community
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ce109fbd-bf3a-480c-8a11-b0df9d7c7a44%40apereo.org.
Reply all
Reply to author
Forward
0 new messages