ASP.Net Unsafe Authentication Forms
ID |
csharp.unsafe_authentication_forms |
Severity |
high |
Resource |
Misconfiguration |
Language |
CSharp |
Tags |
CWE:523, NIST.SP.800-53, OWASP:2021:A7, PCI-DSS:6.5.3, aspnet |
Description
Improper configuration of forms authentication in ASP.NET can weaken security controls and expose the application to various attacks, including session hijacking.
Rationale
Forms authentication in ASP.NET applications relies heavily on configurations defined in the web.config file. If not properly configured, it can compromise session security and the overall security posture of the application.
A common misconfiguration involves setting requireSSL to false, which permits authentication cookies to be transmitted over unencrypted connections. This makes them vulnerable to interception and theft via Man-In-The-Middle (MITM) attacks.
An example of unsafe configuration:
<authentication mode="Forms">
<forms name="customer_login" timeout="30" loginUrl="~/WebGoatCoins/CustomerLogin.aspx" requireSSL="false" />
</authentication>In the example above, requireSSL="false" allows forms authentication cookies to be sent over an unsecured connection (HTTP), which is a significant security risk.
Remediation
To secure your ASP.NET application, ensure that authentication cookies are always transmitted over secure channels. Set the requireSSL attribute to true in your forms authentication configuration to enforce this policy.
<authentication mode="Forms">
<forms name="customer_login" timeout="30" loginUrl="~/WebGoatCoins/CustomerLogin.aspx" requireSSL="true" />
</authentication>Additionally, regularly audit your authentication configurations to ensure they align with security best practices. Use secure, encrypted connections (HTTPS) exclusively for sensitive data transmission and authentication processes to prevent unauthorized exposure of cookies and other credentials in transit.
References
-
CWE-523 : Unprotected Transport of Credentials.