Saturday, March 31, 2012

Hunting asp.net Authentication and Session Ghosts

Asp.net handles the features of user authentication and user session in two different ways that sometimes may produce ghosts (bugs difficult to find) in our web applications.

The default forms authentication time is 20 mins. Session timeout is extended (to another 20 mins) for every request made to the server.
The default session time is 30 mins. When sliding expiration is true (that is the default), authentication timeout is extended for every request made to the server only after the first half of the total authentication time. The extension time is another 30 mins.

Sunday, January 1, 2012

Authorization Attacks using Session hijacking

Abstract
Most of authorization methods are based on the user, password pair, provided by the user. The stateless nature of the Internet requires the server to remember every user that has logged in. Web applications create a unique session for every user. This session is stored somewhere on the server, usually in the database and on users' box via cookies or GET/POST variables. How possible is, for a malicious user, to use these cookies for impersonation? In this article we will try to explore some methods that used very often by malicious people in order to impersonate users. We are not trying to find a totally new world, but to uncover, or better, to formulate, the most recent methods used against current web applications that allow malicious attackers to believe that they are successful. Cookie attacks formulation, Session Prediction, Cross Site Request Forgery and
Session Fixation are methods that will be described with real examples.