Web Configuration - Web.Confit TOP 10 Application Security Vulnerabilities in Web.Config Files

Sept. 11, 2008 - PRLog -- TOP 10 (TEN) Application Security Vulnerabilities in Web.Config Files

About the Author:

Luqman Technologies Pakistan is a leading Search Engine Optimization (SEO Company) based in IT City Lahore Pakistan Asia. A Well Known Website Promotion Company providing Search Engine Marketing, Search Engine Placement and Search Engine Ranking Services, as well as Professional SEO Services, SEO Consultancy, Website Design and Web Development, Domain Name Registration and Website Hosting in Lahore, across Pakistan, and Worldwide to Textile, Telecom, Leather and Industry, Government, Foreign Missions and Embassies, Real Estate Brokers, Agents and Real Estate Companies worldwide. For more information please see our website http://www.luqman-technologies.com

An additional problem is that Web.Comfig files were designed to be changed at any time, even after the Web-based applications are in production.

A well-intentioned system administrator could inadvertently get around application security measures and open the Web site to attack just by modifying the configuration file
And because .NET configuration files operate in a hierarchical manner, a single change to the global Machine.config file could affect every Web site on the entire network.
Part one of this article listed five of the most serious configuration vulnerabilities that are applicable to any ASP.NET Web-based applications.

This part will focus on authentication and authorization application security issues, and detail another five vulnerabilities commonly found in ASP.NET Web-based applications using Forms authentication.

It will also provide some best practices for application security, including locking down your configuration files to ensure that they are not unintentionally modified by well-meaning (but uninformed) programmers or administrators.
6. Cookie less Authentication Enabled
Just as in the "Cookie less Session State Enabled" vulnerability discussed in part one, enabling cookie less authentication in your Web-based applications can lead to session hijacking and problems with application security.

When a session or authentication token appears in the request URL rather than in a secure cookie, an attacker with a network monitoring tool can get around application security, easily take over that session, and effectively impersonate a legitimate user.
However, session hijacking has far more serious consequences for application security after a user has been authenticated.
For example, online shopping sites generally utilize Web-based applications that allow users to browse without having to provide an ID and password.
But when users are ready to make a purchase, or when they want to view their order status, they have to login and be authenticated by the system.
After logging in, sites provide access to more sensitive data, such as a user's order history, billing address, and credit card number.

Attackers hijacking this user's session before authentication can't usually obtain much useful information. But if the attacker hijacks the session after authentication, all that sensitive information could be compromised.
The best way to prevent session hijacking with Web-based applications is to disable cookie less authentication and force the use of cookies for storing authentication tokens.
This application security measure is added by changing the cookie less attribute of the forms element to the value Use Cookies.
7. Failure to Require SSL for Authentication Cookies
Web-based applications use the Secure Sockets Layer (SSL) protocol to encrypt data passed between the Web server and the client.
Using SSL for application security means that attackers using network snuffers will not be able to interpret the exchanged data.
Rather than seeing plaintext requests and responses, they will see only an indecipherable jumble of meaningless characters.

You can require the forms authentication cookie from your Web-based applications to use SSL by setting the requires attribute of the forms element to true.
The previous section discussed the importance of transmitting the authentication token in a cookie, rather than embedding it in the request URL.
However, disabling cookie less authentication is just the first step towards securing the authentication token.

Unless requests made to the Web server are encrypted, a network snuffer will still be able to read the authentication token from the request cookie.
An attacker would still be able to hijack the user's session.
At this point, you might be wondering why it is necessary with application security to disable cookie less authentication, since it is very inconvenient for users who won't accept cookies, and seeing as how the request still has to be sent over SSL.

The answer is that the request URL is often persisted regardless of whether or not it was sent via SSL.
Most major browsers save the complete URL in the browser history cache.
If the history cache were to be compromised, the user's login credentials would be as well.
Therefore, to truly secure the authentication token, you must require the authentication token to be stored in a cookie, and use SSL to ensure that the cookie be transmitted securely.

By setting the requires attribute of the forms element to true, ASP.NET Web-based applications will use a secure connection when transmitting the authentication cookie to the Web server.
Note that IIS requires additional configuration steps to support SSL.
You can find instructions to configure SSL for IIS on MSDN
8. Sliding Expiration Used
All authenticated ASP.NET sessions have a timeout interval to protect the application security. The default timeout value is 30 minutes.
So, 30 minutes after user first logs into any of these Web-based applications, he will automatically be logged out and forced to re-authenticate his credentials.
The sliding Expiration setting is an application security measure used to reduce risk to Web-based applications in case the authentication token is stolen.
When set to false, the specified timeout interval becomes a fixed period of time from the initial login, rather than a period of inactivity.
Attackers using a stolen authentication token have, at maximum, only the specified length of time to impersonate the user before the session times out.

Because typical attackers of these Web-based applications have only the token, and don't really know the user's credentials, they can't log back in as the legitimate user, so the stolen authentication token is now useless and the application security threat is mitigated.

Contact The Author:

Luqman Technologies Pakistan is a Reputed Search Engine Optimization (SEO Company), Providing Total SEO and SEM (Search Engine Marketing) Solutions worldwide with a great focus on Quality Check, Assured, User and Search Engine’s Friendly Website Design, Web Development, We are a Reliable SEO Company you will like to hire for all your SEO needs; Our SEO Services include, Professional SEO Services, Cost Effective SEO Solutions, Affordable and Low Cost Search Engine Optimization, Search Engine Marketing, Search Engine Placement, Submission and Search Engine Advertising, As well as Link Building, Directory Submissions, Content Writing, Development, Article Writing, Press Releases Writing, Development and Distributions. We also provide Cheaper or cheapest Domain Name Registration and Web Site Hosting on Secure, Reliable and Error Free Web hosting Servers for All your Business Ecommerce and Personal Web hosting needs and Our Servers are Up all hours and are based in the United States of America in the neat and clean environment. To Contact us, please reach us via http://www.luqman-technologies.com/contactus.htm

# # #

Luqman Tecnnologies Pakistan is ASIAs Top Web Design SEO Services Company based in Lahore Pakistan. Our firm offerings include, Link Building, Manual Directory Submissions, Outsourcing, SEM, Web Development, Search Engine Optimization services.