会话ID不是随机的足够 - ASP.NET [英] Session ID not random enough - ASP.NET
问题描述
更新
我们最终不得不用在的Acunetix队一些程序员开会,他们意识到有可能在他们的code一些错误导致此为更多的问题比它实际上可能是显示在扫描。普遍的共识是忽略扫描结果,并使用外的开箱ASP.NET会话ID生成,它应该是我们的网站足够安全。
We eventually had a meeting with some programmers on the Acunetix team and they realized there may be a few bugs in their code that are causing this to be displayed in the scan as more of an issue than it actually may be. The general consensus was to ignore the scan results and use the out-of-the-box ASP.NET Session ID generation as it should be secure enough for our site.
@Vasile Bujac,因为你的答案是唯一的一个,使用ASP.NET标准溶液我把提到的答案,但感谢大家的帮助。
@Vasile Bujac since your answer was the only one and mentioned using the ASP.NET standard solution I took that as the answer, but thanks everyone for your help.
我们的Acunetix使用的Retina扫描仪在工作中做我们的应用程序安全扫描。它告诉我们,我们的会话ID的不是随机不够,太predictable。我不太确定如何ASP.NET默认生成会话ID(我认为这是反正GUID?),但我继续实施扩大SessionIDManager类并覆盖CreateSessionID和验证的方法来使用GUID的方法在<一个解释href=\"http://msdn.microsoft.com/en-us/library/system.web.sessionstate.sessionidmanager.createsessionid.aspx\"相对=nofollow>这个MSDN文章。
We use Acunetix's Retina scanner at work to do security scans on our applications. It's telling us that our session ID's are not random enough and too predictable. I'm not exactly sure how ASP.NET generates the session ID by default (I thought it was GUID anyways?), but I went ahead and implemented the method of extending the SessionIDManager class and overriding the CreateSessionID and Validate methods to use a Guid as explained in this MSDN article.
尽管这使得它稍微随机的,它仍然是不按的Acunetix产生理想的效果。我甚至增加了 regenerateExpiredSessionId =真正的属性在web.config并没有任何影响。我有可能需要刻意叫 Session.Abandon()来真正明确了会议,并得到一个新的ID的感觉。问题是,那么我把它称为一个用户登录,因为它知道用户的唯一防故障的方法是开始一个新的会话权利之前。所以,直到下一个页面加载与放弃方法的工作方式我无法设置会话什么,这将意味着一个中间页,其中是不是很理想,但会做的伎俩。
While this makes it slightly more random, it is still not producing the "desired" effect according to Acunetix. I even added the regenerateExpiredSessionId="true" property to the web.config and that had no effect. I have a feeling that I may need to deliberately call Session.Abandon() to truly clear the session and get a new ID. Problem is then I have to call it right before a user logs in since it's the only fail-proof way to know the user is starting a new session. So I couldn't set anything in session until the next page is loaded with the way the Abandon method works, and that would mean an in-between page which isn't very ideal but would do the trick.
有没有人经历过这样或成功实施了修复?
Has anyone ever experienced this or successfully implemented a fix?
此外,只是一个仅供参考,我们不使用会员/表单验证,我们只需要创建一个新的自定义用户类,当有人登录并保存会话供以后使用。
Also, just an FYI, we don't use membership/forms authentication, we just create a new custom user class when someone logs in and save that in session for later use.
从报告的Acunetix:
说明:表现出低熵(随机性)会话令牌往往容易prediction攻击。不安全的令牌可以是由于基于用户属性(用户名或用户ID)的伪随机数发生器不足,基于时间的值,静态值,或值。这意味着,攻击者可以监视应用程序的时间周期短,收集它创建的会话令牌后猜测有效的会话令牌。如果攻击者确定其他用户的有效会话令牌,那么它可能会查看,修改或删除任意用户的数据,而不必去猜测受害人的用户名或密码。因此,推断出有效的会话令牌的能力可以使攻击者可以绕过登录页面,并避免需要蛮力帐户。此外,静态标记可以使攻击者即使受害者不是当前登录到应用程序的目标用户。这增加,攻击者可以针对受害人的游泳池。
Description: Session tokens that exhibit low entropy ("randomness") are often susceptible to prediction attacks. Insecure tokens can be due to inadequate pseudo-random number generator, time-based values, static values, or values based on user attributes (username or user ID). This means that an attacker would be able to guess a valid session token after monitoring the application for a short period of time and gathering the session tokens it creates. If the attacker determines a valid session token for another user, then it may be possible to view, modify, or delete arbitrary users' data without having to guess the victim's username or password. Consequently, the ability to deduce valid session tokens enables the attacker to bypass login pages and obviate the need to brute force accounts. Additionally, static tokens can enable the attacker to target users even if the victim is not currently logged into the application. This increases the pool of victims which the attacker can target.
会话令牌应该具有强大的随机数生成器来创建和数字济济聚集。例如,操作系统的rand()函数通常是足够的,如果它能够生产出具有统计均匀分布的32位值。可怜的会话令牌是渐进的,依靠用户的帐户ID,只能使用时间戳,或者有其他高确定性的信息。保护会话令牌的安全性的其他方法总是发送它们通过SSL,自动的一段时间后过期的令牌,并明确到期令牌每当用户退出应用程序。
Session tokens should be created with a strong random number generator and gathered from a large pool of numbers. For example, an operating system's rand() function can usually be sufficient if it can produce 32-bit values that are a statistically uniform distribution. Poor session tokens are incremental, rely on the user's account ID, only use time stamps, or have other highly deterministic information. Other methods of protecting a session token's security are to always transmit them over SSL, automatically expire the token after a certain period of time, and explicitly expiring the token whenever a user logs out of the application.
建议:如果会话值表现出随意性强,但是从价值的一个小水池被选择,那么攻击者仅仅是猜测有效令牌一个更好的机会。 Web应用程序的会话管理可以通过实施几个互补的技术进行改进:
Recommendations: If the session values exhibit strong randomness, but are chosen from a small pool of values, then the attacker has a better chance of simply guessing a valid token. A web application's session management can be improved by implementing several complementary techniques:
- 确保令牌值面积至少为32位,特别是对大量并发用户和大量的日常页面请求的应用程序。
- 熵(随机值)的源操作数的比特大小是比实际会话令牌的位大小更重要。例如,MD5哈希生成128位的值。然而,增量值的MD5散列,时间戳,或8位随机数各自为不安全的,因为随机值的源可以容易地predicted。因此,128位大小不会再present会话令牌的精确测量。信息源的最小尺寸为32位,而大池(48位或64位),可用于每小时超过10,000个并发用户的站点是必要的。
- 在大多数情况下,应用程序生成的令牌(例如ASP.NET_SessionId,ASPSESSIONID,JSPSESSIONID,PHPSESSIONID),以prevent会议prediction攻击提供足够大的随机值。该应用程序应该使用这些会话管理alogorithms除非自定义会话机制已经彻底审查和测试。
- 跟踪用户的属性。如果应用程序并不严格与该用户的个人资料信息的用户的会话令牌相关联,那么攻击者可以通过操纵客户端的值来查看任意信息。例如,如果应用程序设置了一个强大的会话令牌,但执行的SQL查询基于用户IDcookie,那么攻击者只需要修改用户IDcookie来冒充别人。如果相关联的服务器端会话对象的用户ID的值,因为攻击者无法修改该值的应用会更安全。
- 过期会话令牌当用户退出应用程序或不活动的predetermined期。我们建议使用一个20分钟的超时会话令牌,尽管这在很大程度上取决于应用的类型和预期使用。
与服务器端对象,以prevent用户假冒攻击会话令牌关联
推荐答案
我记得,ASP.NET会话ID生成器,为阻止会议prediction良好的保障。会话ID具有使用[A-Z]的字符和[0-5]数字(总共32个可能的字符是2 ^ 5),给出了一个总的2 ^(5 * 24)= 2 ^ 120可能值24个字符。然而,你可以实现一个SessionIDManager追加一些信息(如用户hostaddress,用户代理,使用HMAC算法验证令牌),从而实现更好的保护 - 这样一个会话ID从一个不同的IP地址或不同的浏览器正在添加不会通过验证。如果你有认证实施形式,因为认证券已经提供了这些类型的保护,这是没有必要的。
As I remember, ASP.NET session id generator gives good protection against session prediction. The session id has 24 characters using [a-z] chars and [0-5] digits (total of 32 possible chars which is 2^5) which gives a total of 2^(5*24) = 2^120 possible values. However you can implement a SessionIDManager to append some information (like user hostaddress, user-agent, a validation token using a HMAC algorithm) for even better protection - so that a session id comming from a different IP Address or different browser wouldn't pass the validation. If you have forms authentication implemented, this is not necessary since the authentication ticket already provides these kinds of protection.
如果你想有一个更好的随机会话ID,您可以使用RandomNumberGenerator如RNGCryptoServiceProvider在SessionIDManager并填写一堆字节(说32是256位),使用Base64编码然后连接code它们
If you want a better random session id you can use a RandomNumberGenerator such as RNGCryptoServiceProvider in your SessionIDManager and fill a bunch of bytes (say 32 which is 256 bits), then encode them using Base64
byte[] random = new byte[100];
//RNGCryptoServiceProvider is an implementation of a random number generator.
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
rng.GetBytes(random); // The array is now filled with cryptographically strong random bytes.
return Convert.ToBase64String(random)
然而,<一个href=\"http://msdn.microsoft.com/en-us/library/system.web.sessionstate.sessionidmanager.sessionidmaxlength.aspx\"相对=nofollow>这篇文章说,你的会话ID的最大长度是80,所以你也必须覆盖验证方法,以便为它工作。
However, this article says that the max length of your session id is 80, so you must override the Validate method also in order for it to work.
这篇关于会话ID不是随机的足够 - ASP.NET的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
