CXRF attack and Shib SP

Russell Beall beall at
Tue Apr 8 10:36:40 EDT 2014

I've been asked to respond to an audit of a sensitive application that was deemed vulnerable to cross site request forgery. My initial response indicated that shib might be able to help but that it was really an application issue to solve. If they want the app to trust only internal links and not any external links, then the app itself would have to be changed. 

Does anyone on this list have any shib configuration that can block CXRF so that a change to the app could be avoided?


More information about the users mailing list