CXRF attack and Shib SP

Russell Beall beall at
Tue Apr 8 12:42:44 EDT 2014

Nothing was detected regarding the Shib SP component of course, it was the application which was found to be vulnerable.  Management indicated on their response that something could be done about this with shibboleth and so the task was punted over to my director.  I'll just have to punt it right back…


On Apr 8, 2014, at 7:45 AM, "Cantor, Scott" <cantor.2 at> wrote:

> On 4/8/14, 10:36 AM, "Russell Beall" <beall at> wrote:
>> Does anyone on this list have any shib configuration that can block CXRF
>> so that a change to the app could be avoided?
> I don't know for certain what was detected, but the short answer is that
> IdP-initiated SSO is in and of itself an example of CXRF, and the SP
> doesn't currently contain options to block it.
> -- Scott
> --
> To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list