Library tutorials & articles

Top 10 Application Security Vulnerabilities in Web.config Files - Part Two

  • Comments (2)
  • PDF
  • AddThis
By Bryan Sullivan, published on 10 Jun 2007
Page 5 of 7
  1. Learn about Authentication and Authorization Application Security Issues
  2. Cookieless Authentication Enabled
  3. Failure to Require SSL for Authentication Cookies
  4. Sliding Expiration Used
  5. Non-Unique Authentication Cookie Used
  6. Hardcoded Credentials Used
  7. You're Not Out of the Woods Yet

Non-Unique Authentication Cookie Used

Over the last few sections, I hope I have successfully demonstrated the importance of application security and of storing your application's authentication token in a secure cookie value. But a cookie is more than just a value; it is a name-value pair. As strange as it seems, an improperly chosen cookie name can create an application security vulnerability just as dangerous as an improperly chosen storage location.

Vulnerable configuration: 

<configuration> 
	<system.web> 
		<authentication mode="Forms"> 
			<forms name=".ASPXAUTH">

Secure configuration: 

<configuration> 
	<system.web> 
		<authentication mode="Forms"> 
			<forms name="{abcd1234…}">

 

The default value for the name of the authentication cookie is .ASPXAUTH. If you have only one Web-based application on your server, then .ASPXAUTH is a perfectly secure choice for the cookie name. In fact, any choice would be secure. But, when your server runs multiple ASP.NET Web-based applications, it becomes critical to assign a unique authentication cookie name to each application. If the names are not unique, then users logging into any of the Web-based applications might inadvertently gain access to all of them. For example, a user logging into the online shopping site to view his order history might find that he is now able to access the administration application on the same site and change the prices of the items in his shopping cart.

The best way to ensure that all Web-based applications on your server have their own set of authorized users is to change the authentication cookie name to a unique value. Globally Unique Identifiers (GUIDs) are excellent choices for application security since they are guaranteed to be unique. Microsoft Visual Studio helpfully includes a tool that will automatically generate a GUID for you. You can find this tool in the Tools menu with the command name "Create GUID". Copy the generated GUID into the name attribute of the forms element in the configuration file.

Comments

  1. shaguf mohtisham
    14 Aug 2008 at 16:12

    If histoy is compromised,can't be the cookies compromised as well? and the hijack can still be performed.

  2. Developer Fusion Bot
    01 Jan 1999 at 00:00

    This thread is for discussions of Top 10 Application Security Vulnerabilities in Web.config Files - Part Two.

Leave a comment

Sign in or Join us (it's free).

Related tags

asp.net, iis, internet, security, web services
Bryan Sullivan Bryan Sullivan is a development manager at SPI Dynamics, a Web application security products company. Bryan manages the DevInspect and QAInspect Web security products, which help programmers mainta...

Related articles

Ask a question

Related discussion

Related podcasts

  • Episode 36: Scott Watermasysk

    This week, the Herding Code cast talks shop with Scott Watermasysk about cloud computing, blogging platforms, Internet Explorer, the DotNetOpenId project and much more: Scott W, Scott K and Jon discuss Azure, Amazon Web Services and Google App Engine. Jon asks Scott W to share his thoughts on bl...

Events coming up

Languages

Web Development

Frameworks & Architecture

Other major sections

Cancel
We'd love to hear what you think! Submit ideas or give us feedback