I'm trying to prevent a valid authentication cookie replay attack on asp.net core application which is using default identity.
I have tried a few things but nothing seems to be working. Once the user is logs off from a session, I can see that I can still replay the authenticated request again using the old cookie.
Is there a way to prevent this?
Thanks
ASP.NET Core is not keeping track of sessions server-side. All session information is contained in the cookie itself (see this issue).
If you want to prevent replay attacks you need to keep track of session yourself. A convenient way to do so is to implement an ITicketStore (see SessionStore). Hint: make sure that your store survives an IIS reboot if you don't want your users to experience a logout.
Before doing so, of course you need to assess a replay-attack is a real danger to your setup. Quoting this article:
If you make sure your site is only ever served over HTTPS, and your cookies are set as "secure", "same site", and "HTTP only", then an attacker will not be able to obtain the cookie value unless they have managed to perform a man-in-the-middle (MitM) attack. And if they've done that, you've got much bigger problems.
And:
Another concern would be if their computer or browser is compromised by malicious code. But again, if that happens, they've got bigger problems to worry about.
Related
I did a small sample test and found that almost all web sites I tested suffer from the vulnerability where I can access restricted pages (ie pages that require logging in) even after I have logged out from the browser if I save the cookies while I am still logged on.
The test was fairly simple. I just replayed a web request in Fiddler after I had logged out from the browser. For example, with outlook.com, after logging out, I could replay the page that shows the address book and still get my contacts' email addresses.
May I know what the industry standard is regarding this as I have one customer who insists on fixing this vulnerability but not wanting to increase the hardware specs.
I'm not sure if there's an industry standard, but there are best practices. And the best practice is to clean the cookies, and cookie management.
You shouldn't have to worry about hardware on this either. It's a simple lookup to see if a value is valid. If it isn't, then the session state shouldn't get resurrected.
Again, I would use HttpOnly and a secure flag on the cookie. That way, it will limit replay attacks more. And when it comes to resurrecting sessions, make sure that session files are destroyed on the server, not just abandoned.
Abandoned sessions mean they can potentially be resurrected.
Hardware will generally not be an issue with this problem. If it is, then look at your solution, as there might be a better way.
One of our clients made a penetration test on our application and reported missing flags when working with cookies.
We should always use httpOnly and secure flags when setting cookies.
After some testing I realized that cookies were actually using this flags when set, but with one exception: Log out.
When logging out some cookies were set with a past expiration date, as to delete that cookie, secure and httpOnly were not used.
Does this represent a security risk? Does it make sense to set these flags when setting an expired cookie?
No, assuming there are no holes in your app, the flag doesn't matter on the log out.
However, you should do what the pen tester says because there may be other security flaws in your app that can be exploited using this cookie if the flags aren't set. In other words, if your app were otherwise secure then the cookie wouldn't matter, however it probably does matter because there are no guarantees that your app is secure.
One example is an app that doesn't properly terminate or close sessions. A logout cookie is sent to the client without the flags, and is therefore compromised in some way such as MitM or Wire Sniffing. The attacker submits the cookie back to the app, along with any other arbitrary data designed to exploit a hole, thus triggering a vulnerability and getting a live session either by resurrecting the previous one or receiving a new one (like the famous NULL session attack).
This is a classic case of one security hole that is useless by itself, but adds a link to a chain that can be used to obtain a compromise.
Most Web Applications use cookies to manage the session for a user and allow you to stay logged in even if the browser was closed.
Let's assume we did everything by the book to make sure the cookie itself is safe.
encrypt the content
set http only
set secure
ssl is used for the connection
we check for tampering with the content of the cookie
Is it possible to prevent someone with physical access to the machine to copy the cookie and reuse it on another machine and thus stealing the session?
It doesn't make sense to "protect" against this. If this kind of copying happens, then either:
The end user did it on purpose because they wanted to change computers. This is, of course, not something you should care about or be concerned about.
An attacker has already compromised the user's browser and gotten access to the cookies stored inside. By definition this cookie is a secret that proves that the identity of the HTTP client. If the attacker already has access to it, they can already use it in any number of ways of their choosing that you won't be able to prevent or distinguish from the real user accessing the server legitimately.
This risk is inherent in using cookies to authenticate sessions: the cookie is a bearer token, anyone who can present the cookie is authenticated.
This is why you see further protections such as:
automatic log out after a certain amount of time, or period of inactivity;
device fingerprinting;
requiring re-authentication for critical actions (e.g. making a bank transfer or changing your password).
What methodologies do people recommend for mitigating the 'Firesheep' method for website applications?
We have thought about this and from a usability perspective, other than encrypting all traffic to a site, mitigating the attack can be somewhat of a problem for web developers.
One suggestion we came up with was to use path based cookies, and encrypt traffic for a specific path where account operations or personalised interaction happens. This however complicates usability however, in as much as the rest of the site (the un-encrypted - un-authenticated) bit does not know who the user would be.
Does anyone have any other suggestions for mitigating this vector of attack, while maintaining a usable level of usability?
Firesheep is nothing new. Session hijacking has been going on for more than two decades. You don't need "encrypt" your cookie, thats handled by your transport layer. Cookies must always be a cryptographic nonce.
Usually hackers just set their own cookie by typing this into the address bar javascript:document.cookie='SOME_COOKIE', FireSheep is for script kiddies that fear 1 line of JavaScript. But it really doesn't make this attack any easier to perform.
Cookies can be hijacked if you don't use HTTPS for the entire life of the session and this is apart of OWASP A9 - Insufficient Transport Layer Protection. But you can also hijack a session with XSS.
1)Use httponly cookies. (Makes it so JavaScript cannot access document.cookie, but you can still do session riding with xss)
2)Use "secure cookies" (Horrible name, but its a flag that forces the browser to make the cookie HTTPS only.)
3)Scan your web application for xss using Sitewatch(free) or wapiti (open source)
Also don't forget about CSRF! (Which firesheep doesn't address)
Well I found an interesting article on GitHub that describes a method of mitigating the firesheep attack.
https://github.com/blog/737-sidejack-prevention
Anybody tried taking advantage of the "Web Storage" in HTML 5 to store a shared key (passed during SSL-encrypted responses during authentication) that is used by javascript to alter the session cookie over time?
That way, the stolen (unencrypted) session cookies would only be valid for a short amount of time.
My guess is that Web Storage is segmented by port (in addition to host), so it wouldn't be possible. Just throwing that idea out there in case anybody wants to run with it.
When user logs-in, store the IP-address in the session.
On each subsequent request from this session, check that the IP-address matches the one stored in the session.
Will this idea work? It seems pretty stupid, because my app is simply checking that the browser sent two copies of the same information (ie the session key).
Also, remembering to make this check sounds very tedious. Do web frameworks such as Rails and CakePHP have things that make it easier to write XSRF-proof web apps?
Assuming that the session key is not leaked (which could happen if your PHP is poorly configured and uses session.use_trans_sid) and you are not vulnerable to session fixation attacks, yes, this is secure. This is because a request forger cannot read your cookies, and thus does not know what the correct value is.
You may be interested in CSRF Magic, which claims to allow you to protect your application by including a single file.