Need help- .net authentication cookie (.ASPXAUTH)
1,571 views
Skip to first unread message
sandesh
Apr 11, 2011, 2:52:54 AM4/11/11
to null
Hi All,
I have an ASP.Net application- in my login page I'm calling below
lines of code
FormsAuthentication.SignOut
Session.Abandon()
Session.Clear()
however if I grab authentication cookie(i.e. .ASPXAUTH) value using
fiddler and then after logout if I re-inject the cookie (.ASPXAUTH)
value I'm able to gain access to protected pages.
Did anybody come across this issue? Any solution for this issue
appreciated.
Thanks in advance,
Regards,
Sandesh.
I have an ASP.Net application- in my login page I'm calling below
lines of code
FormsAuthentication.SignOut
Session.Abandon()
Session.Clear()
however if I grab authentication cookie(i.e. .ASPXAUTH) value using
fiddler and then after logout if I re-inject the cookie (.ASPXAUTH)
value I'm able to gain access to protected pages.
Did anybody come across this issue? Any solution for this issue
appreciated.
Thanks in advance,
Regards,
Sandesh.
webDEViL
Apr 11, 2011, 7:52:47 AM4/11/11
to null-...@googlegroups.com, sandesh
That's how it's supposed to work.
Once you signout, the session is destroyed (ideally).
You can't use the same session for this purpose. You have to perform the attack while the user is logged in.
(Use a different browser for your satisfaction)
--
Regards,
Once you signout, the session is destroyed (ideally).
You can't use the same session for this purpose. You have to perform the attack while the user is logged in.
(Use a different browser for your satisfaction)
--
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
This list is supported by Institute of Information Security http://iisecurity.in
Learn information security at your own pace – eLearning programs at http://elearning.iisecurity.in
--
Regards,
webDEViL
webDEViL
Apr 11, 2011, 8:05:51 AM4/11/11
to null-...@googlegroups.com, sandesh
Ignore my previous reply. I misread your question.
Sorry :)
Sorry :)
Bipin Upadhyay
Apr 11, 2011, 8:12:01 AM4/11/11
to null-...@googlegroups.com, sandesh
I don't remember much of .NET so not sure if I'm right, but it might be a Session Fixation issue. For example, in php you need to call session_regenerate_id to avoid it.
--Bipin.
--Bipin.
»»sent from my pwnedBerry®
From: webDEViL <w3bd...@gmail.com>
Sender: null-...@googlegroups.com
Date: Mon, 11 Apr 2011 12:05:51 +0000
ReplyTo: null-...@googlegroups.com
Cc: sandesh<sandes...@gmail.com>
Subject: Re: [null] Need help- .net authentication cookie (.ASPXAUTH)
sunil yadav
Apr 11, 2011, 8:15:54 AM4/11/11
to null-...@googlegroups.com
Hi Sandesh,
Try deleting the cookie explicitly in you code when it logs out as shown in the below code.
HttpCookie authCookie = HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
if (authCookie != null)
{
HttpCookie cookie = new HttpCookie(authCookie.Name);
cookie.Expires.AddDays(-1D);
Response.Cookies.Add(cookie);
}
hope this helps.
--
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
This list is supported by Institute of Information Security http://iisecurity.in
Learn information security at your own pace – eLearning programs at http://elearning.iisecurity.in
rahul sasi
Apr 11, 2011, 1:33:51 PM4/11/11
to null-...@googlegroups.com
Hi,
@Sandesh sunil has given the right solution you could implement the same fix using formsauthentication as its a better way, the problem you are facing is because when u do the formsauthentication.signout the cookies are not actually cleared and are still there. Session.abandon also have the same issue. So better to use a cookie expiration date on your cookies.
Sometime force browsing is seen because of local browser cache issues. So that could be fixed by doing a no cahce response.
This code using forms authentication and no cache would be a fix for your issues I suppose.
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();
//No cache response, browser no wont cache the pages
FormsAuthentication.SignOut();
Session.Abandon();
HttpCookie authentication_cookie = new HttpCookie(FormsAuthentication.FormsCookieName, "");
authentication_cookie.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(authentication_cookie);
//You might do th same with session cookies if required.
Just let us know if it worked.
Regards.Rahul Sasi aka Fb1h2s
Info Security Consultant
07738222968
09320233681
www.fb1h2s.com
wwww.garage4hackers.com
www.garage4hackers.com/blog.php?8-Fb1h2s-blog
@Sandesh sunil has given the right solution you could implement the same fix using formsauthentication as its a better way, the problem you are facing is because when u do the formsauthentication.signout the cookies are not actually cleared and are still there. Session.abandon also have the same issue. So better to use a cookie expiration date on your cookies.
Sometime force browsing is seen because of local browser cache issues. So that could be fixed by doing a no cahce response.
This code using forms authentication and no cache would be a fix for your issues I suppose.
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();
//No cache response, browser no wont cache the pages
FormsAuthentication.SignOut();
Session.Abandon();
HttpCookie authentication_cookie = new HttpCookie(FormsAuthentication.FormsCookieName, "");
authentication_cookie.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(authentication_cookie);
//You might do th same with session cookies if required.
Just let us know if it worked.
Regards.
Info Security Consultant
07738222968
09320233681
www.fb1h2s.com
wwww.garage4hackers.com
www.garage4hackers.com/blog.php?8-Fb1h2s-blog
sandesh
Apr 12, 2011, 12:09:14 AM4/12/11
to null
Thank you all for the response.
I tried option suggested by Sunil, by deleting the cookie explicitly
with expiration date.
Even I’m clearing the cache values by implementing the code suggested
by Rahul.
Still authentication cookie reply attack possible.
Following Microsoft link only provides more information about how to
ease cookie reply attacks but not the fix.
http://support.microsoft.com/kb/900111
Cookies reply attack possible only before the timeout period.
The timeout period attribute mentioned in my “web.config “file.
<authentication mode="Forms">
<forms loginUrl="~/Security/Login" timeout="20" />
</authentication>
The attack scenario would be- grabbing authentication cookie
(i.e. .ASPXAUTH) value and re-injecting the cookie after logout should
be done before timeout period.
Regards,
Sandesh.
On Apr 11, 10:33 pm, rahul sasi <loverahul...@gmail.com> wrote:
> Hi,
>
> @Sandesh sunil has given the right solution you could implement the same fix
> using formsauthentication as its a better way, the problem you are facing is
> because when u do the formsauthentication.signout the cookies are not
> actually cleared and are still there. Session.abandon also have the same
> issue. So better to use a cookie expiration date on your cookies.
>
> Sometime force browsing is seen because of local browser cache issues. So
> that could be fixed by doing a no cahce response.
>
> This code using forms authentication and no cache would be a fix for your
> issues I suppose.
>
> Response.Cache.SetCacheability(HttpCacheability.NoCache);
> Response.Cache.SetNoStore();
> //No cache response, browser no wont cache the pages
>
> FormsAuthentication.SignOut();
> Session.Abandon();
> HttpCookie authentication_cookie = new
> HttpCookie(FormsAuthentication.FormsCookieName, "");
> authentication_cookie.Expires = DateTime.Now.AddYears(-1);
> Response.Cookies.Add(authentication_cookie);
>
> //You might do th same with session cookies if required.
>
> Just let us know if it worked.
>
> Regards.
>
I tried option suggested by Sunil, by deleting the cookie explicitly
with expiration date.
Even I’m clearing the cache values by implementing the code suggested
by Rahul.
Still authentication cookie reply attack possible.
Following Microsoft link only provides more information about how to
ease cookie reply attacks but not the fix.
http://support.microsoft.com/kb/900111
Cookies reply attack possible only before the timeout period.
The timeout period attribute mentioned in my “web.config “file.
<authentication mode="Forms">
<forms loginUrl="~/Security/Login" timeout="20" />
</authentication>
The attack scenario would be- grabbing authentication cookie
(i.e. .ASPXAUTH) value and re-injecting the cookie after logout should
be done before timeout period.
Regards,
Sandesh.
On Apr 11, 10:33 pm, rahul sasi <loverahul...@gmail.com> wrote:
> Hi,
>
> @Sandesh sunil has given the right solution you could implement the same fix
> using formsauthentication as its a better way, the problem you are facing is
> because when u do the formsauthentication.signout the cookies are not
> actually cleared and are still there. Session.abandon also have the same
> issue. So better to use a cookie expiration date on your cookies.
>
> Sometime force browsing is seen because of local browser cache issues. So
> that could be fixed by doing a no cahce response.
>
> This code using forms authentication and no cache would be a fix for your
> issues I suppose.
>
> Response.Cache.SetCacheability(HttpCacheability.NoCache);
> Response.Cache.SetNoStore();
> //No cache response, browser no wont cache the pages
>
> FormsAuthentication.SignOut();
> Session.Abandon();
> HttpCookie authentication_cookie = new
> HttpCookie(FormsAuthentication.FormsCookieName, "");
> authentication_cookie.Expires = DateTime.Now.AddYears(-1);
> Response.Cookies.Add(authentication_cookie);
>
> //You might do th same with session cookies if required.
>
> Just let us know if it worked.
>
> Regards.
>
> On Mon, Apr 11, 2011 at 5:45 PM, sunil yadav <sunilyadav...@gmail.com>wrote:
>
>
>
>
>
>
>
>
>
> > Hi Sandesh,
>
> > Try deleting the cookie explicitly in you code when it logs out as shown in
> > the below code.
>
> > HttpCookie authCookie =
> > HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
>
> > if (authCookie != null)
> > {
> > HttpCookie cookie = new HttpCookie(authCookie.Name);
> > cookie.Expires.AddDays(-1D);
> > Response.Cookies.Add(cookie);
> > }
>
> > hope this helps.
>
>
>
>
>
>
>
>
>
>
> > Hi Sandesh,
>
> > Try deleting the cookie explicitly in you code when it logs out as shown in
> > the below code.
>
> > HttpCookie authCookie =
> > HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
>
> > if (authCookie != null)
> > {
> > HttpCookie cookie = new HttpCookie(authCookie.Name);
> > cookie.Expires.AddDays(-1D);
> > Response.Cookies.Add(cookie);
> > }
>
> > hope this helps.
>
sandesh
Apr 12, 2011, 2:34:27 AM4/12/11
to null
Thank you all for the response.
I’ve tried deleting authentication cookie explicitly by calling cookie
expiration date (implementing solution suggested by Sunil). No value
is cached in my application.
Still my application leads to cookie reply attack.
Following is the Microsoft link, which provides more information about
how to ease cookie reply attacks but didn’t talk about the fix.
http://support.microsoft.com/kb/900111
This attack is possible only in the timeout period(i.e 20 mins), which
I mentioned in my web.config file.
<authentication mode="Forms">
<forms loginUrl="~/Security/Login" timeout="20" />
</authentication>
Thanks and Regards,
<forms loginUrl="~/Security/Login" timeout="20" />
</authentication>
> Hi,
>
> @Sandesh sunil has given the right solution you could implement the same fix
> using formsauthentication as its a better way, the problem you are facing is
> because when u do the formsauthentication.signout the cookies are not
> actually cleared and are still there. Session.abandon also have the same
> issue. So better to use a cookie expiration date on your cookies.
>
> Sometime force browsing is seen because of local browser cache issues. So
> that could be fixed by doing a no cahce response.
>
> This code using forms authentication and no cache would be a fix for your
> issues I suppose.
>
> Response.Cache.SetCacheability(HttpCacheability.NoCache);
> Response.Cache.SetNoStore();
> //No cache response, browser no wont cache the pages
>
> FormsAuthentication.SignOut();
> Session.Abandon();
> HttpCookie authentication_cookie = new
> HttpCookie(FormsAuthentication.FormsCookieName, "");
> authentication_cookie.Expires = DateTime.Now.AddYears(-1);
> Response.Cookies.Add(authentication_cookie);
>
> //You might do th same with session cookies if required.
>
> Just let us know if it worked.
>
> Regards.
>
>
> @Sandesh sunil has given the right solution you could implement the same fix
> using formsauthentication as its a better way, the problem you are facing is
> because when u do the formsauthentication.signout the cookies are not
> actually cleared and are still there. Session.abandon also have the same
> issue. So better to use a cookie expiration date on your cookies.
>
> Sometime force browsing is seen because of local browser cache issues. So
> that could be fixed by doing a no cahce response.
>
> This code using forms authentication and no cache would be a fix for your
> issues I suppose.
>
> Response.Cache.SetCacheability(HttpCacheability.NoCache);
> Response.Cache.SetNoStore();
> //No cache response, browser no wont cache the pages
>
> FormsAuthentication.SignOut();
> Session.Abandon();
> HttpCookie authentication_cookie = new
> HttpCookie(FormsAuthentication.FormsCookieName, "");
> authentication_cookie.Expires = DateTime.Now.AddYears(-1);
> Response.Cookies.Add(authentication_cookie);
>
> //You might do th same with session cookies if required.
>
> Just let us know if it worked.
>
> Regards.
>
> On Mon, Apr 11, 2011 at 5:45 PM, sunil yadav <sunilyadav...@gmail.com>wrote:
>
>
>
>
>
>
>
>
>
> > Hi Sandesh,
>
> > Try deleting the cookie explicitly in you code when it logs out as shown in
> > the below code.
>
> > HttpCookie authCookie =
> > HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
>
> > if (authCookie != null)
> > {
> > HttpCookie cookie = new HttpCookie(authCookie.Name);
> > cookie.Expires.AddDays(-1D);
> > Response.Cookies.Add(cookie);
> > }
>
> > hope this helps.
>
>
>
>
>
>
>
>
>
>
> > Hi Sandesh,
>
> > Try deleting the cookie explicitly in you code when it logs out as shown in
> > the below code.
>
> > HttpCookie authCookie =
> > HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
>
> > if (authCookie != null)
> > {
> > HttpCookie cookie = new HttpCookie(authCookie.Name);
> > cookie.Expires.AddDays(-1D);
> > Response.Cookies.Add(cookie);
> > }
>
> > hope this helps.
>
rahul sasi
Apr 12, 2011, 3:40:15 AM4/12/11
to null-...@googlegroups.com, sandesh
Hi Sandesh,
Thanks for your link. And about the fix , the code that I have referenced above is the fix only.
Practical attack scenario , victim logs out of application, server side cookies are not cleared yet and attacker who uses victims computer authenticates to victim session using the [so called cleared] cookies.
So in the code which I referenced , when the victim clicks the log out button the following code is called
FormsAuthentication.SignOut(); <------------------------------------------------1) Signout victim
Session.Abandon();
HttpCookie authentication_cookie = new
HttpCookie(FormsAuthentication.FormsCookieName, "");
Thanks for your link. And about the fix , the code that I have referenced above is the fix only.
Practical attack scenario , victim logs out of application, server side cookies are not cleared yet and attacker who uses victims computer authenticates to victim session using the [so called cleared] cookies.
So in the code which I referenced , when the victim clicks the log out button the following code is called
FormsAuthentication.SignOut(); <------------------------------------------------1) Signout victim
Session.Abandon();
HttpCookie authentication_cookie = new
HttpCookie(FormsAuthentication.FormsCookieName, "");
authentication_cookie.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(authentication_cookie); <--------------------- 2) New Junk Cookies set replacing the old one.
1) We sign out the victim
2) Then set the victim with a new junk cookie, so now even if the cookies are not cleared in server side, the attacker who uses the computer wont get the previous cookies, as its been replaced by a new junk one. So in practical life this attack is avoided.
But in your current experiment, you yourself is the victim and the attacker. So here you are logging the cookies using a local proxy , since you have the cookies in a second location other than browser you are able to reproduce the attack. Which in real case scenarios using my code would not occur, unless and until there is a network proxy from were traffic is redirected. But then Network proxies are always a risk.
I am not sure about the consequences of fixing the same issue by reducing the web.config time out values. But if you are able to find any success there please share the info.Feel free to flame me if am wrong somewhere.
Regards,
Response.Cookies.Add(authentication_cookie); <--------------------- 2) New Junk Cookies set replacing the old one.
1) We sign out the victim
2) Then set the victim with a new junk cookie, so now even if the cookies are not cleared in server side, the attacker who uses the computer wont get the previous cookies, as its been replaced by a new junk one. So in practical life this attack is avoided.
But in your current experiment, you yourself is the victim and the attacker. So here you are logging the cookies using a local proxy , since you have the cookies in a second location other than browser you are able to reproduce the attack. Which in real case scenarios using my code would not occur, unless and until there is a network proxy from were traffic is redirected. But then Network proxies are always a risk.
I am not sure about the consequences of fixing the same issue by reducing the web.config time out values. But if you are able to find any success there please share the info.Feel free to flame me if am wrong somewhere.
Regards,
Anant Shrivastava
Apr 12, 2011, 3:48:16 AM4/12/11
to null-...@googlegroups.com, rahul sasi, sandesh
Hi All,
just my two cents.
what if the cookies are being stolen by either a Proxy attack (as in you mentioned about network proxy) or lets say XSS attack on the application. Possibilities are endless so we better fix this before proceeding.
Or i might be wrong ?
Anant Shrivastava
CEH | RHCE
Mob : 91-9764899904
E-mail : an...@anantshri.info
Web : http://anantshri.info
just my two cents.
what if the cookies are being stolen by either a Proxy attack (as in you mentioned about network proxy) or lets say XSS attack on the application. Possibilities are endless so we better fix this before proceeding.
Or i might be wrong ?
Anant Shrivastava
CEH | RHCE
Mob : 91-9764899904
E-mail : an...@anantshri.info
Web : http://anantshri.info
sandesh
Apr 12, 2011, 5:52:29 AM4/12/11
to null
I agree with Anant.
How to protect authentication cookie with proxy attack?
Even these authentication cookie (.ASPXAUTH) passed as a part of
header information for each requests.
Some extent we can tackle XSS attack by using HTTPOnly="true"
attribute.(The browser which support HTTPOnly)
Or even i also might be wrong !!!!
Regards,
Sandesh.
On Apr 12, 12:48 pm, Anant Shrivastava <ant201...@gmail.com> wrote:
> Hi All,
>
> just my two cents.
>
> what if the cookies are being stolen by either a Proxy attack (as in you
> mentioned about network proxy) or lets say XSS attack on the application.
> Possibilities are endless so we better fix this before proceeding.
>
> Or i might be wrong ?
>
> Anant Shrivastava
> <http://anantshri.info/>
TAS
Apr 12, 2011, 6:58:09 AM4/12/11
to null-...@googlegroups.com, sandesh
What Rahul and Bipin say is the same and should work. If you inject a
a stale cookie from client and if the server accepts this cookie that
means I have a wide variety of attacks related to session that I can
try against that web application. The most popular one being a session
fixation attack. The countermeasure for such an scenario is what Rahul
mentioned. I am just putting down the pseudo code. How you implement
that is upto you.
a stale cookie from client and if the server accepts this cookie that
means I have a wide variety of attacks related to session that I can
try against that web application. The most popular one being a session
fixation attack. The countermeasure for such an scenario is what Rahul
mentioned. I am just putting down the pseudo code. How you implement
that is upto you.
1. User gets a random or junk cookie when the user simply visits the
website as a guest user.
2. When the user logs in a new cookie or session is assigned.
3. When the user logs out the cookie generated in step 2 should be
deleted/destroyed and a new junk cookie should be regenerated.
I don't think by setting a low timeout in the web.config is going to
help. Also the article you are referring to is dated May 2007, very
old. The recommendation or workaround that they have mentioned should
be a part of the latest .NET framework.
Hope that help.
-
TAS
http://twitter.com/p0wnsauc3
Reply all
Reply to author
Forward
0 new messages