 |  |  |  |  |  |  |  |
ASP.NET Forms Authentication Vulnerability
McAfee, Inc., a leader in intrusion prevention, announced that its security services group, Foundstone Professional Services, will release a whitepaper on Microsoft ASP.NET Forms Authentication and "cookie replay" attacks. The whitepaper will be located at http://www.foundstone.com/index.htm?...hitepapers.htm. In response, Microsoft authored an MSDN article:
http://support.microsoft.com/default...b;en-us;900111.
What is a "cookie replay" attack? When authentication information is stored in a cookie, an attacker who gains access to that cookie can authenticate back to the web application.
The particular vulnerability in ASP.NET Forms Authentication, is that even if the cookie is explicitly removed, no persistent record of that is stored server-side. So, the credentials could still be used to authenticate to the web application. Also, even though cookies can have an expiration date (and always should!), ASP.NET actually uses a " forms authentication ticket" to determine if a cookie is still valid. This can allow an "expired" cookie to still be seen as valid by the ASP.NET application.
Both the Foundstone/MacAffee whitepaper, and the MSDN article, give advice for how to plug this potential security hole.
http://support.microsoft.com/default...b;en-us;900111.
What is a "cookie replay" attack? When authentication information is stored in a cookie, an attacker who gains access to that cookie can authenticate back to the web application.
The particular vulnerability in ASP.NET Forms Authentication, is that even if the cookie is explicitly removed, no persistent record of that is stored server-side. So, the credentials could still be used to authenticate to the web application. Also, even though cookies can have an expiration date (and always should!), ASP.NET actually uses a " forms authentication ticket" to determine if a cookie is still valid. This can allow an "expired" cookie to still be seen as valid by the ASP.NET application.
Both the Foundstone/MacAffee whitepaper, and the MSDN article, give advice for how to plug this potential security hole.
Similar Threads
- Forms Authorization/ Authentication using asp .net and vb .net (ASP.NET)
- Forms Authentication (ASP.NET)
- ASP.NET Authentication issue (C#)
- forms authentication in asp.net (ASP.NET)
- login forms with asp.net (ASP.NET)
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Upcoming News Stories Posts
- Today's Posts
- Unanswered Threads
age amd analytics api apple avatar blog blogging bluegene bluray broadband browser business cellphones chips command computers console copyright database dell developer development dos economy email encryption energy enterprise facebook firefox games gaming google government gta hardware ibm ibm.news intel intelibm internet iphone ipod laptop legal leopard linux mac malware medicine memory microsoft mobile news nintendo obama office openoffice opensource os pc prompt ps3 recession redhat registry root russia search security semiconductors software sony statistics stockmarket stocks sun supercomputer supercomputing technology technologystocks tiger trends tweaks twitter ubuntu unix verizon virus vista web webmail wii windows wireless working x86 xbox yahoo
