Skip to main content

Session Fixation


Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn’t assign a new session ID, making it possible to use an existent session ID. The attack consists of obtaining a valid session ID (e.g. by connecting to the application), inducing a user to authenticate himself with that session ID, and then hijacking the user-validated session by the knowledge of the used session ID. The attacker has to provide a legitimate Web application session ID and try to make the victim's browser use it.

Ref: https://www.owasp.org/index.php/Session_fixation


Session Fixation Protection

The idea is that, since ASP prohibits write access to the ASPSESSIONIDxxxxx cookie, and will not allow us to change it in any way, we have to use an additional cookie that we do have control over to detect any tampering. So, we set a cookie in the user's browser to a random value, and set a session variable to the same value. If the session variable and the cookie value ever don't match, then we have a potential fixation attack, and should invalidate the session, and force the user to log on again.

Ref: https://www.owasp.org/index.php/Session_Fixation_Protection

In the Logout function, ensure that you are removing this new Cookie “AuthCookie” as well. To remove this cookie, simply set its expiration date time to a few months earlier than the current date time

Sample Code to fix Session fixation
Step: 1 Add below code in page load even of landing page.
if (Session["AuthToken"] == null && Request.Cookies["AuthToken"] == null)
{
string guid = Guid.NewGuid().ToString();
Session["AuthToken"] = guid;
// now create a new cookie with this guid value
Response.Cookies.Add(new HttpCookie("AuthToken", guid));
}

Step: 2 Add below code in master page load event.
if (Session["AuthToken"] != null && Request.Cookies["AuthToken"] != null)
{
if (!Session["AuthToken"].ToString().Equals(Request.Cookies["AuthToken"].Value))
Response.Redirect("Logon.aspx");
}
else
Response.Redirect("Login.aspx");

Step: 3 Add below code in logout click event.
Session.Clear();
Session.Abandon();
Session.RemoveAll(); 


How to Test?

Step: 1 Load the page and get the session ID and Authtoken as shown in below screen

Step: 2 tampering the session ID and AuthToken 

Step: 3 submit the request or redirect to other page.


 It will redirect to login page as Asp.Net_SessionId and AuthToken is not valid.



Comments

Post a Comment

Popular posts from this blog

Server Error (dots in URL)

Issue description: Asp.net Server error [Unable to redirect to custom error page] when three dots (…) placed after directory name in url, Custom error page will not work if below attribute is set to false. www.yourwebsite.com\somefolder\ ... By default in asp.net  application will be configured relaxedUrlToFileSystemMapping = " false, which means each http request will be validated by ‘Server OS file path validation component’. So when we pass (.) or (..) in URL first it will be validated by this component then the valid request will be passed to IIS. By setting relaxedUrlToFileSystemMapping = " true " it will bypass the ‘Server OS file path validation’, so all the http request will directly reach to IIS. Same scenario has been explained in below figure. Mitigation:                              ...
Post a Comment
Read more

Visual Studio 2010 Error HRESULT E_FAIL has been returned from a call to a COM component.

I was using Visual Studio 2010.  I was debugging a web application and an exception happened and VS 2010 froze.  I ended the VS 2010 in the task manager and when I went back to developing, I found on every form for every ASP.net control I get:  Error Creating Control - Error HRESULT E_FAIL has been returned from a call to a COM component.  Also I am unable to edit  the form or add anything from the toolbox. Solution: This error comes because of Caching of Visual Studio Delete the Cache. You can delete the project cache at "Program Files\Microsoft Visual Studio 10.0\Common7\IDE\ProjectTemplatesCache", then run "devenv /setup" to build the cache again to see if it helps.
9 comments
Read more

Password Protected File Validation for(.doc/.docx/.xls/.xlsx/.pdf) file types

Password Protected File Validation for(.doc/.docx/.xls/.xlsx/.pdf) file types protected void btnUpload_Click( object sender, EventArgs e)         {             //Check if File Upload control has file or not             if (FileUpload1.HasFile)             {                 //Get Uploaded file bytes                 var bytes = FileUpload1.FileBytes;                 //Get Uploaded File Extension                 FileInfo objFileInfo = new FileInfo (FileUpload1.FileNam...
Post a Comment
Read more