Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Can a user use a role from one identity on a different identity

Reply
Thread Tools

Can a user use a role from one identity on a different identity

 
 
Jeffrey
Guest
Posts: n/a
 
      09-27-2007
Thinking about my application, I am worried about an exploit that I am not
proficient enough to test. Can a user use a set of roles (fully encrypted
cookie) gained by logging in on one account and pass it to another session
with a different logon. That could make an "account administrator" of a small
account an "account administrator" of a large account for which she may only
be an "account user".

If this is true, it is a major flaw in asp.net. I am going to attempt to
block this exploit by storing the user id with a prefix as if it is a role
and verify that it is there. This is rather kludgy.
 
Reply With Quote
 
 
 
 
Joe Kaplan
Guest
Posts: n/a
 
      09-27-2007
In a web app where cookies are used as a security mechanism, if those
cookies are somehow stolen and can be reused by someone else, the thief can
generally impersonate the user. That's one of the things that makes cross
site scripting so dangerous.

This danger is common to all web apps that use cookies and is not an issue
specific to ASP.NET.

The thing to think about is the different ways that a someone might be able
to steal someone else's cookies. It could be cross site scripting or it
could be by snooping on the network traffic. You can fight both of those by
coding your app to avoid XSS attacks and using SSL to prevent snooping on
the wire.

If you are worried about one user just giving another user their cookies,
there isn't a lot you can do about that. They would probably just give the
user their password instead as that is much easier.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Jeffrey" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thinking about my application, I am worried about an exploit that I am not
> proficient enough to test. Can a user use a set of roles (fully encrypted
> cookie) gained by logging in on one account and pass it to another session
> with a different logon. That could make an "account administrator" of a
> small
> account an "account administrator" of a large account for which she may
> only
> be an "account user".
>
> If this is true, it is a major flaw in asp.net. I am going to attempt to
> block this exploit by storing the user id with a prefix as if it is a role
> and verify that it is there. This is rather kludgy.



 
Reply With Quote
 
 
 
 
Jeffrey
Guest
Posts: n/a
 
      09-27-2007
Actually, what I am worried about is the same user who has two different
logins. It would not be hard for MS to include the user id in the role cookie
and verify that it matches the users authentication cookie, but I do not see
any evidence that they do that. Before I converted to ASP.net 2.0 providers,
this was not an issue because I stuffed the roles into the authorization
cookie and they could not be seperated.

-- Jeffrey

"Joe Kaplan" wrote:

> In a web app where cookies are used as a security mechanism, if those
> cookies are somehow stolen and can be reused by someone else, the thief can
> generally impersonate the user. That's one of the things that makes cross
> site scripting so dangerous.
>
> This danger is common to all web apps that use cookies and is not an issue
> specific to ASP.NET.
>
> The thing to think about is the different ways that a someone might be able
> to steal someone else's cookies. It could be cross site scripting or it
> could be by snooping on the network traffic. You can fight both of those by
> coding your app to avoid XSS attacks and using SSL to prevent snooping on
> the wire.
>
> If you are worried about one user just giving another user their cookies,
> there isn't a lot you can do about that. They would probably just give the
> user their password instead as that is much easier.
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
> http://www.directoryprogramming.net
> --
> "Jeffrey" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Thinking about my application, I am worried about an exploit that I am not
> > proficient enough to test. Can a user use a set of roles (fully encrypted
> > cookie) gained by logging in on one account and pass it to another session
> > with a different logon. That could make an "account administrator" of a
> > small
> > account an "account administrator" of a large account for which she may
> > only
> > be an "account user".
> >
> > If this is true, it is a major flaw in asp.net. I am going to attempt to
> > block this exploit by storing the user id with a prefix as if it is a role
> > and verify that it is there. This is rather kludgy.

>
>
>

 
Reply With Quote
 
Joe Kaplan
Guest
Posts: n/a
 
      09-27-2007
It reissues the role cookie when you log in though, so if you had a previous
cookie, it would get overwritten. I don't see an issue with that
necessarily.

I don't know if they have anything inside the data in the cookie that
attempts to match it with the authentication info to ensure if they are a
match or not though. If you are concerned about whether or not that
happens, you would need to do some more investigation.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Jeffrey" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Actually, what I am worried about is the same user who has two different
> logins. It would not be hard for MS to include the user id in the role
> cookie
> and verify that it matches the users authentication cookie, but I do not
> see
> any evidence that they do that. Before I converted to ASP.net 2.0
> providers,
> this was not an issue because I stuffed the roles into the authorization
> cookie and they could not be seperated.
>
> -- Jeffrey
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
AzMan Role Based Security vs. ASP.NET Role Based Security Kursat ASP .Net Security 1 05-07-2007 01:33 PM
HttpContext.Current.User.Identity.Name AND Context.User.Identity.Name; nalbayo ASP .Net 2 11-11-2005 11:12 PM
Role-Based Security: ACLs and Role Hierarchies Liet Kynes ASP .Net 0 11-26-2003 08:08 AM
Difference between HttpContext.Current.User.Identity and identity Impersonation Giovanni Bassi ASP .Net 0 10-20-2003 02:25 PM
Role-based security: Access the role of current user Jesper Stocholm ASP .Net 2 08-23-2003 06:59 PM



Advertisments