Assurance

[Steven Carmody <>]

On 3/7/14 3:09 PM, Joe St Sauver wrote:
> Hi,
>
> Steven wrote:
>
> #I'll summarize the long back story.. a student recently brought us an
> #new app that they had recently built. Its 120 lines of javascript, and
> #leverages both node.js and the meteor platform.
>
> bearbucks.meteor.com appears to be down, so I can't check directly, but
> I'm assuming that the Javascript was loaded from the web page, and run
> in the user's browser, correct?

No.

The javascript runs completely within the server platform. That's 
something that's new....

> #This app sits in front of our Banner student system and acts as a proxy.
> #It presents its own login page,
>
> ... users *should* perceive that site as a potential phishing site, right?

As  you say, *should*. However, if its identical to the application's 
login page, then the user would have to look at the url bar... does 
anyone know of anything that could be embedded in the real page, but not 
duplicated in the fake page ?

> #Most worrisome, tho, is that we think that if we implemented some forms
> #of two factor in the authN process of our apps that this proxy could
> #quickly evolve to handle the extra step.
>
> True, for some forms of multifactor, harder for others.

Joe,

could you provide a quick summary of forms which can be abused by this 
sort of proxy, and which forms might succeed at protecting the application ?