...
| Type | Threat | Mitigation |
|---|---|---|
Information Disclosure | If HTTPS is not used, the PGT can be stolen, which is extremely critical as it represents as SSO identity. | Always use HTTPS for /proxy url. |
| Spoofing | The attacker can generate proxy tickets for other services and discover user's attributes. | Limit as much as possible the services definition : not a very efficient solution, we should never reach that point ! |
| Information disclosure | GET parameters ! very important information should be posted TODO |
Threats on "proxy callbacks" attack surface
...