Seccode Pages

Sunday, March 25, 2012

Cookieless Sessions with ASP.NET

Sometimes a security issue will sneak in to your code when you do not know what to look for. One great example of this is a Session Hijack attack which in code does not look like a vulnerability. The Session Hijacking attack we will explore today starts with Cookieless Sessions. Developers use cookieless sessions to attach the session to the URL which you might want to do for a variety of reasons:
  • Users might not have Cookies enabled,
  • cookies can be stolen,
  • etc...
Setting up the attack is fairly easy and can be done without looking like a problem to the developer. First create a new Website project in Visual Studio: File > New Website. Use the default setup for the site or customize it however you would like.

First we need to setup our interface that will capture our Session data. Copy the following standard interface code to the bottom of your Default.aspx page:

<asp:Label ID="lbl1" runat="server" Text="" BackColor="Green" ForeColor="White" />
    <asp:TextBox ID="txt" runat="server" />
    <asp:Button ID="btn" runat="server" OnClick="btn_Click" Text="Save Session" />

This is a simple Label that will display the value of our session variable. Now open the Default.aspx.cs code behind file and replace the Page_Load placeholder code with the following:

protected void Page_Load(object sender, EventArgs e)
        if (null != Session["testing"])
            lbl1.Text = Session["testing"].ToString();
    protected void btn_Click(object sender, EventArgs e)
        Session["testing"] = txt.Text;
        lbl1.Text = Session["testing"].ToString();

Notice that the code is simply checking for the Session value on load and if it exists, displaying it in a label control. We also setup an event handler for the Save button that will store the value of the text box. The final step to make the threat of Session Hijacking a vulnerability. To enable cookieless sessions we add the configuration element (in the web.config) for sessionState cookieless="true":

<sessionState cookieless="true"/>

Now, run the website in your default web browser. Enter a value in the text box and press the Save Session button. This will store the value of the text box into the Session variable called "testing". When the page reloads you will see the value load into the label.

Sessions are unique to connections and browsers so you can test this vulnerability by copying the session identifier in the URL into a new browser, you will keep your session and see the value you entered in the previous browser. This is because the Session ID is passed into the new browser will load the values on the Session to the new browser. In essence you can move your session between browsers, depending on the application deployment, between computers.

1 comment:

Olya Olegovna said...

Good information here. I will post these information to my facebook page. It is really very informative for others. FSD solutions