Saturday, September 10, 2005

ASP.NET form authentication security flaws

I read the white paper from Araujo Rudolph on ASP.NET form authentication security flaws.http://www.foundstone.com/resources/whitepapers/ASPNETFormsAuthentication.pdf
It is amazing to me to think that you could still perform a cookie reply attack after you logout from the form (if session is valid). In the web applications I am writing for my client I am using SOAP header authentication. SOAP headers credentials are compared with the ones in a secure data repository and added to the application object for persist the session. No cookies are used. The only threat as far as I know could come to exploit the clear text credentials in the headers during transmission but my web application run under VPN because is a credit card application with special security. I am interested on how secure is SOAP headers authentication maybe this paper might help me, thanks Rudy

4 comments:

Webmaster said...

Hello, I was checking out the blogs on blogger.com for Environmental blogs cancer sites I ended up finding your blog very interesting blog, by accident, I am certainly glad I did. Tremendous blog, would you mind if I link to your blog in my "favorites" page?

trustedconsultant said...

trustedconsultant on behalf of Rudolph Araujo: In general with SOAP header authentication, one of the things you need to worry about is replay attack where someone could replay an authentication packet. Further even if it is an intranet app you might need to consider the dangers of an insider attack. Finally if needed you should consider using WS-Security (even though this is still far from a perfect or flawless solution) and XML encryption and signatures as potential solutions. I like the notion of staying away from cookies though since that decreases your reliance on anything client side all though I guess it does mean a perf overhead since you would need to authenticate for every SOAP request right?

Crazy Dan said...

Hi trustedconsultant, I found your blog while doing some research on network security vpn. I like your blog, thank you for sharing the information and keep up the good work!.
I'll be back to see if you have any posts about network security vpn

Tito Maury said...

Hi trustedconsultant, your blog is excellent. As I was surfing around today looking for detailed info on mpls vpn security I somehow ended up on your page. As your mpls vpn security is not exactly related to my search, I am certainly glad I
stopped by. Oh well, back to surfing and I am sure I will find what I am looking for, and should you ever need information about lighting photography, then stop by for a look. Thanks for the post.