Saturday, September 10, 2005

ASP.NET form authentication security flaws

I read the white paper from Araujo Rudolph on ASP.NET form authentication security flaws.http://www.foundstone.com/resources/whitepapers/ASPNETFormsAuthentication.pdf
It is amazing to me to think that you could still perform a cookie reply attack after you logout from the form (if session is valid). In the web applications I am writing for my client I am using SOAP header authentication. SOAP headers credentials are compared with the ones in a secure data repository and added to the application object for persist the session. No cookies are used. The only threat as far as I know could come to exploit the clear text credentials in the headers during transmission but my web application run under VPN because is a credit card application with special security. I am interested on how secure is SOAP headers authentication maybe this paper might help me, thanks Rudy

1 comment:

trustedconsultant said...

trustedconsultant on behalf of Rudolph Araujo: In general with SOAP header authentication, one of the things you need to worry about is replay attack where someone could replay an authentication packet. Further even if it is an intranet app you might need to consider the dangers of an insider attack. Finally if needed you should consider using WS-Security (even though this is still far from a perfect or flawless solution) and XML encryption and signatures as potential solutions. I like the notion of staying away from cookies though since that decreases your reliance on anything client side all though I guess it does mean a perf overhead since you would need to authenticate for every SOAP request right?