Skip to content
This repository was archived by the owner on Dec 13, 2018. It is now read-only.

Anti-xsrf plus opt-out for WsFed #1443

Closed
Tratcher opened this issue Sep 20, 2017 · 8 comments
Closed

Anti-xsrf plus opt-out for WsFed #1443

Tratcher opened this issue Sep 20, 2017 · 8 comments
Assignees
@Tratcher
Labels
3 - Done enhancement
Milestone
2.0.0-wsfed

Comments

@Tratcher
Copy link
Member

WsFed has historically not used anti-xsrf cookies because it supports unsolicited logins. However anti-xsrf cookies could be used if there was an opt-out option for applications that required support for unsolicited logins.
#1441 (comment)

@brentschmaltz how common is it for apps to rely on unsolicited logins?
@Tratcher Tratcher added this to the 2.0.0-wsfed milestone Sep 20, 2017
@Tratcher Tratcher self-assigned this Sep 20, 2017
@kevinchalet
Copy link
Contributor

@brentschmaltz how common is it for apps to rely on unsolicited logins?

Common or not, it should definitely be opt-out. XSRF/session fixation attacks are too dangerous to ignore them by default.

@kevinchalet
Copy link
Contributor

BTW, it might be interesting to backport such a security feature to Katana 4 😅

@Tratcher
Copy link
Member Author

Frequency matters because if all apps need to allow unsolicited logins then this feature is counter productive.

@kevinchalet
Copy link
Contributor

Luckily, not all apps need IdP or third-party initiated login (which is not the most common case from what I can say based on my own experience).

JSYK, the OASIS committee decided in 2012 to add an errata to the SAML2 specification to encourage implementations to offer a way to reject unsolicited assertions when it became clear that it represented a real security threat:

Note that the use of unsolicited responses can lead to Cross-Site Request Forgery (CSRF) vulnerabilities due to the inability to ensure that a request from the client originated the SAML profile transaction. Service providers SHOULD have a means of disabling the acceptance of unsolicited responses if circumstances warrant. The use of solicited responses may also be vulnerable to such attacks, the use of cookies to correlate the issuance of SAML requests and responses with the same client being one possible solution. However, if unsolicited respones cannot be prevented, no improvement to the solicited case will be of use.

http://docs.oasis-open.org/security/saml/v2.0/errata05/os/saml-v2.0-errata05-os.html

WS-Fed's unsolicited responses feature works exactly the same way so the same attack vector unfortunately applies.

I'm tempted to think it would be better to make it safe by default.

@blowdart
Copy link
Member

damnit I agree with @PinpointTownes

@kevinchalet
Copy link
Contributor

damnit I agree with @PinpointTownes

We really need to do something to stop that... :trollface:

@Tratcher
Copy link
Member Author

Offline notes: @brentschmaltz also swore and agreed with @PinpointTownes.

@brentschmaltz
Copy link
Contributor

@Tratcher I did :-)

Tratcher added a commit that referenced this issue Sep 27, 2017
@Tratcher
#1443 Block unsolicited wsfed logins by default.
de3e8f2
Tratcher added a commit that referenced this issue Sep 27, 2017
@Tratcher
#1443 Block unsolicited wsfed logins by default.
1e167fb
@Tratcher Tratcher mentioned this issue Sep 27, 2017
Merged
Tratcher added a commit that referenced this issue Sep 29, 2017
@Tratcher
#1443 Block unsolicited wsfed logins by default.
c1ba89d
Tratcher added a commit that referenced this issue Oct 5, 2017
@Tratcher
#1443 Block unsolicited wsfed logins by default.
7b0dca3
@Tratcher Tratcher closed this as completed Oct 5, 2017
Tratcher added a commit that referenced this issue Jan 30, 2018
@Tratcher
#1443 Block unsolicited wsfed logins by default.
9090fc7
Tratcher added a commit that referenced this issue Feb 5, 2018
@Tratcher
#43 Add Microsoft.AspNetCore.Authentication.WsFederation, samples, an…
eab171d 
…d tests.

#1443 Block unsolicited wsfed logins by default.
#1520 Update WsFed to use the 2.0 event structure
#1425 Implement WsFed remote signout cleanup
Rework WsFed RemoteSignOutPath logic to work with ADFS #1581
Update versions, dependencies.
@Tratcher Tratcher mentioned this issue Feb 5, 2018
Merged
Tratcher added a commit that referenced this issue Feb 6, 2018
@Tratcher
#43 Add Microsoft.AspNetCore.Authentication.WsFederation, samples, an…
6413305 
…d tests.

#1443 Block unsolicited wsfed logins by default.
#1520 Update WsFed to use the 2.0 event structure
#1425 Implement WsFed remote signout cleanup
Rework WsFed RemoteSignOutPath logic to work with ADFS #1581
Update versions, dependencies.
Tratcher added a commit that referenced this issue Feb 12, 2018
@Tratcher
#43 Add Microsoft.AspNetCore.Authentication.WsFederation, samples, an…
eafc687 
…d tests.

#1443 Block unsolicited wsfed logins by default.
#1520 Update WsFed to use the 2.0 event structure
#1425 Implement WsFed remote signout cleanup
Rework WsFed RemoteSignOutPath logic to work with ADFS #1581
Update versions, dependencies.
Tratcher added a commit that referenced this issue Feb 26, 2018
@Tratcher
#43 Add Microsoft.AspNetCore.Authentication.WsFederation, samples, an…
d95109c 
…d tests.

#1443 Block unsolicited wsfed logins by default.
#1520 Update WsFed to use the 2.0 event structure
#1425 Implement WsFed remote signout cleanup
Rework WsFed RemoteSignOutPath logic to work with ADFS #1581
Update versions, dependencies.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@Tratcher Tratcher

Labels
3 - Done enhancement
Projects
None yet
Milestone
2.0.0-wsfed
Development

No branches or pull requests
4 participants
@blowdart @Tratcher @brentschmaltz @kevinchalet