BASM - Broken Authentication and Session Management avoid it in ASPNET WebForms
Matías Creimerman - Buenos Aires, Argentina - 2012-06-20

Usually people think that a user session of a ASP.NET webforms application with IIS, cannot be broken or intercepted by another client, but this is not true.

Some years ago, my product owner request me to fix a vulnerability issue in an application.

The application was developed in this way (I will use fake names):

Logout Event:

Membership.DeleteUser(Membership.GetUser(true).UserName, true);
Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddSeconds(-30);
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId",""));

The developers and testers when made the tests, they don't detect any error or vulnerability. Also the developers tried to change some lines of these code to kill the session but the issue is still alive.

When I took the problem, I analyzed the situation and with some tools I intercepted the requests from my browsers and change the parameters to emulate different and several situations. I could broke the security and enter to the application without login process. Also, I could enter with another users.

So, what was the problem?

A few developers know about that the user sessions of ASP.NET application have an extra lifetime on IIS.
If you decompile a .NET library, you can find that the IIS give an extra lifetime of each session on server. I supose that fix any performance issue but the session is still alive. So if you get the cookies to authenticate from any other client you can still authenticated on the application becuase IIS just check if the cookie information is still alive on server.

What was the solution?

I create a server variable. This variable was instanced on the login and killed on the logout.

On the global.asax for each request to the application, the method must verify this variable is alive (or with any user information). In other case, the request will be invalid.

Also, to strong the authentication, you can build an aditional process to create a cookie with custom information and validate it on server.

Also, I created a process that kill all open sessions that no have any activity by a period of time.

This content is property of Matias Creimerman
Any misuse of this material will be punishable
This work is licensed under a
Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License
Creative Commons License