的FormsAuthenticationTicket不能失效的服务器端。造成的cookie回复攻击 [英] FormsAuthenticationTicket cannot be invalidated server side. Causing cookie reply attacks
问题描述
我必须使用窗体身份验证的成员ASP.NET Web应用程序。我们最近一直渗透测试,这是一个标记问题是窃取用户帐号的能力。如果.ASPXAUTH cookie值是从用户注销用户可以登录为不同的用户之前复制,编辑cookie来匹配复制的值,并得到所有的特权的。
在登出我曾尝试:
删除的cookie。我能成功地做到这一点,但它并没有无效的FormsAuthenticationTicket。
使用 FormsAuthentication.SignOut()但发现它没有prevent攻击
我个人不认为这是一个问题,我相信它可能被窃取的唯一方法是,如果一个使用设法获得一个身份验证的用户此说,我需要解决这个问题,以安抚渗透测试。
任何意见将大大AP preciated!
谢谢
在登出我曾尝试:删除cookie的结果
我能成功地做到这一点,但它并没有无效的FormsAuthenticationTicket。
块引用>其实,当你删除的cookie,你从你的用户删除它 - 你不能去激活它,所以如果有一个人得到它,他仍然可以使用它
该解决方案可以是:
- 保存身份验证cookie的地位也在服务器。
- 连接登录的用户的身份与他们的会话。
了解更多关于也在这里:<一href=\"http://stackoverflow.com/questions/2498599/can-some-hacker-steal-the-cookie-from-a-user-and-login-with-that-name-on-a-web-s\">Can一些黑客从用户窃取cookie并在网站上使用该名称登录?
和<一个href=\"http://stackoverflow.com/questions/16062808/form-authentication-cookie-replay-attack-protection\">Form验证 - 曲奇重放攻击 - 保护
和 http://support.microsoft.com/default ?的.aspx SCID = KB; EN-US; 900111
I have an ASP.NET web application using forms membership authentication. We have recently been penetration tested and an issue that was flagged was the ability to steal a users account. If the .ASPXAUTH cookie value was copied from a user before logging out a user could log in as a different user, edit their cookie to match the copied value and get all of their privileged.
On logging out I have tried:
Removing the cookie. I could successfully do this but it doesn't invalidate the FormsAuthenticationTicket.
Using FormsAuthentication.SignOut() but found it does not prevent the attack
I personally dont see this as a problem, I believe the only way it could be stolen is if a use manages to gain access to an authenticated user this said I need to fix this problem to appease the penetration testers.
Any ideas would be greatly appreciated! Thanks
解决方案On logging out I have tried: Removing the cookie.
I could successfully do this but it doesn't invalidate the FormsAuthenticationTicket.Actually when you remove the cookie, you remove it from your user - you can not de-activate it, so if some one get it, he can still use it.
The solutions can be:
- Save the status of the authentication cookie also on server.
- Connect the status of logged user with their session.
Read more about also here: Can some hacker steal the cookie from a user and login with that name on a web site?
and Form Authentication - Cookie replay attack - protection
and http://support.microsoft.com/default.aspx?scid=kb;en-us;900111
这篇关于的FormsAuthenticationTicket不能失效的服务器端。造成的cookie回复攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!