locked
Investigation: ADFS-Benefits (sts -> ehr) RRS feed

All replies

  • I used Firefox to access http://mymicrosoftbenefits.ehr.com/adfs, without letting the browser to remember my password.

    I was asked to type in my username/password, which I believe is the behavior of BRM 4- BRM 7. I typed in username/password, the authentication went through smoothly.

    I don't know why I am not able to correctly replay BRM 8. I am talking about replying it on the same browser. Does it necessarily imply that one of the elements among wa[BLOB]
    & wresult[BLOB,SU,SEC] & wctx[BLOB,SU,SEC] cannot be reused even by the same client?


    • Edited by cs0317 Wednesday, April 4, 2012 10:10 PM
    Wednesday, April 4, 2012 9:46 PM
  • BRM 9 can be replayed on the same machine.
    Wednesday, April 4, 2012 10:06 PM
  • Why is wresult in BRM8 and BRM9? should it be propagated from BRM8? Similarly wctx is different in BRM8 and BRM9. A related question, where are the values of wresult and wctx come from, since they do not come from BRM8?

    Wednesday, April 4, 2012 10:13 PM
  • observation:

    * None of the arguments in BRM10 is important when I replay it after doing the SSO once. Specifically, I was able to replay this message:

    GET
    https://mymicrosoftbenefits.ehr.com/adfs/Default.aspx

    Host: mymicrosoftbenefits.ehr.com
    User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.8,zh-Hans;q=0.5,zh;q=0.3
    Accept-Encoding: gzip, deflate
    Connection: keep-alive
    Referer: https://msft.adfs.ehr.com/adfs/ls/
    Cookie: _WebSsoAuth=hello; _WebSsoAuth0=world

    I found that when the two cookies are incorrect, the browser will be redirected to sts, which will set correct values for these two cookies. (note: the server actually corrects the cookie values, rather than creates new valid values)


    • Edited by cs0317 Thursday, April 5, 2012 5:25 AM
    Thursday, April 5, 2012 5:05 AM
  • wct is DATE. It was labeled as SEC. I have corrected it.

    Rui Wang

    Friday, April 6, 2012 5:15 PM
  • I have a question regarding the wtrealm. According to the document

    "wtrealm This optional parameter is the URI of the requesting realm. This should be specified if it isn't obvious from the request (e.g. the wreply parameter). The wtrealm SHOULD be a security realm of the resource in which nobody (except the resource or authorized delegates) can control URLs."

    In the traces we collected, the value of wtrealm is urn:federation:watsonwyatt. I don't understand why the value is not a URI. What does this value mean? It seems that urn:federation:watsonwyatt has nothing to do with the relying party’s identity. Does it mean that the identity is specified solely by wreply?

    Monday, April 9, 2012 5:51 PM
  • wreply appears on BRM3, disappears between BRM4-BRM8, and re-appears on BRM9. I assume that it is represented by wctx (the session context maybe). Is it possible to have an attack similar to the one against JanRain -- to bind the Alice's browser to Bob's session?

    Monday, April 9, 2012 11:54 PM
  • wreply appears on BRM3, disappears between BRM4-BRM8, and re-appears on BRM9. I assume that it is represented by wctx (the session context maybe). Is it possible to have an attack similar to the one against JanRain -- to bind the Alice's browser to Bob's session?


    definitely sth worth trying.

    Rui Wang

    Tuesday, April 10, 2012 12:07 AM