[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Checking of InResponseTo attribute
Hi all,
I have some questions regarding the checking of "InResponseTo" attribute.
As the SAML2 specification documents clearly define that "InResponseTo" must be check if it corresponds to the request's "ID", it does not say why this is obligatory.
What kind of attacks could this checking prevent?
I see that it could be used to save time consuming signature checking in eventual DoS attacks. Is there some other attack scenarios, where it could be helpful?
Thanks and Regards,
Stefan
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]