|
Definition by OWASP:
|
|
Application functions
related to authentication and session management are often not implemented
correctly, allowing attackers to compromise passwords, keys, session tokens,
or exploit other implementation flaws to assume other users’ identities.
|
·
The
attackers may be external attackers or the users who are using the application
can steal account information of other.
·
Attackers
will make use the flaws or leaks found in the application authentication and
session management function will lead to loss of sensitive information,
passwords to impersonate users.
·
Developers
of the application use custom authentication and session management deploy correctly
is very hard.
·
Such flaw
may allow some or even all user account information to be hacked successfully.
·
The above
risk is not clearly defined just like injection and XSS. Broken is a bit of all
different vulnerabilities, some may explicitly looked up such as insecure
cryptographic storage and insufficient transport layer authentication.
Hackers will intercept session from
cookie or requested URL.
ASP.Net Session State
Programmatically, session state is
nothing more than memory in the shape of a dictionary or hash table, e.g.
key-value pairs, which can be set and read for the duration of a user's
session.
Session Management
ASP maintains session state by providing the
client with a unique key assigned to the user when the session begins. This key
is stored in an HTTP cookie that the client sends to the server on each
request. The server can then read the key from the cookie and re-inflate the
server session state.
With cookie
Enter user name and password for login
page. Cookie information stored properly in this page and used further use.
// assume successful
authentication against an account source...
Session
["Username"] = username;
lblUsername.Text
= username == null? "Unknown”: username.ToString ();
Cookie
information stored can be viewed and obtained easily.
Cookieless State Information
Use cookieless state in asp.net
session management. Store session information in particular position in the URL
.
<sessionState
cookieless="true" />
http://yourserver/folder/(session ID here)/default.aspx
Page contain Cookieless state hold
session information will have identical information for both cookie and cookieless
state.
Use Asp.net Membership
provider and Role provider
Practice use of asp.net member ship provider
and role provider will help in reducing the attacks
<asp:LoginView
ID="HeadLoginView" runat="server" EnableViewState="false">
<AnonymousTemplate>
[ <a href="~/Account/Login.aspx"
id="HeadLoginStatus" runat="server">Log In</a> ]
</AnonymousTemplate>
<LoggedInTemplate>
Welcome
<span
class="bold">
<asp:LoginName
ID="HeadLoginName" runat="server" />
</span>
! [
<asp:LoginStatus ID="HeadLoginStatus" runat="server"
LogoutAction="Redirect" LogoutText="Log Out"
LogoutPageUrl="~/" /> ]
</LoggedInTemplate>
</asp:LoginView>
Use
asp.net membership provider control provided in .net control toolbox and customizable
role provider done using this control. Avoid using your own or custom authentication
and session management for the application don’t attempt to rewrite code without
proper need of it.
Implement Proper
Password Strength Controls
Password Length
·
Set minimum length of 10 and make it as strong.
·
Weak password strength will lead to crack the
password.
·
Make sure maximum password length to be 20-30
Characters.
Password
Complexity
§
at least 1 uppercase character (A-Z)
§
at least 1 lowercase character (a-z)
§
at least 1 digit (0-9)
§
at least 1 special character (punctuation) — do
not forget to treat space as special characters too.
Implement Secure Password Recovery Mechanism
Instead
of sending password via mail reset the password
Use SSL with Session
Using SSL all communication are encrypted (the
cookies content been encrypted). Make it nearly impossible to directly access
the data cookies.
Get the session
expiration automatically or manually
Make the session clear either automatically or manually
to avoid maintain for prolong period of time.
<system.web>
<sessionState timeout="10" />
</system.web>
Summary
We can protect ourselves by make cookie encrypted
using SSL, expire cookie information periodically, Double Checking Password and
avoid cookieless information.
No comments :
Post a Comment