[Owasp-leaders] OWASP and Identity

McGovern, James F (HTSC, IT) James.McGovern at thehartford.com
Fri Dec 12 13:02:35 EST 2008

There are a few scenarios that I would love for someone to account for
in terms of their projects that are related to identity.

1. If you are familiar with OpenID you may know that an identifier can
be pretty much anything. Since it can be anything, it could also look
like a SQL injection. So, guidance on how websites should think about
this is in order.

2. If you are familiar with federated identity, specifically SAML
browser profiles, you know that there is a potential authorization issue
few discuss in terms of products that should be accounted for. For
example, you can have a URL that looks like:
wo.com/company=123 (note: I sanitized/dumbed down the URL). The
challenge becomes one of trust. In this particular scenario of the
app.two.com supporting multiple companies, it can on the good path trust
the identity provider that I have been properly authenticated, but
doesn't always account for what happens if I jack the idp by attacking
say the directory and adding in a customer of say company three.com.
Additionally, in architectures where the RP is a different product and
folks are using web access management products, the information exchange
from the IDP doesn't get passed along (no standards as to how to shove
this into TAM, Siteminder, etc) and therefore the application that takes
a parm such as company can't compare it to whom initiated the

I was in an IBM user group on Monday where another company presented
their federation strategy and had a similar URL pattern. There were
folks who attended OWASP and raised the thinking I outlined above before
I got a chance to jump in. Good to know that OWASP is starting to reach
a few security folks on my side of town. Maybe, you can use this
scenario to make sure that federated identity is secure as well...
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/owasp-leaders/attachments/20081212/12d33a8b/attachment-0001.html 

More information about the OWASP-Leaders mailing list