A5-Security Misconfiguration Attack/ Missing Secure Attribute in Encrypted Session (SSL) Cookie

Missing Secure Attribute in  Encrypted Session (SSL) Cookie.
Secure flag is not set for the all cookies through-out the application

Description: Cookie set during an SSL encryption session can be send via the browser in an unencrypted  if secured attribute is not set. By enabling the secured attribute for https it ensures the cookies cannot be stolen by using unencrypted channels.

Hi Friends while developing an internet based application I came across an issue in security assessment report which is mentioned as the today’s topic of mine.

In order to elaborate the problem, take an example of application which uses cookies based authentication. In order to see the actual problem you need to add Web Developer extension in chrome or Firefox.

So you create and asp.net MVC or asp.net web forms application and use cookie based authentication in your web application. Sending a cookie over an unencrypted channel might allow an attacker to eavesdrop and intercept the cookie which is quit dangerous this attacks comes under A5-Security Misconfiguration.

Example of the same:


Once you have added the web developer extension and ran the web application go to Web Developer setting as shown below:


Once you click on the button it will pop up with list of option that you may interested as shown below, here I am focussed about cookies information:


Go to view cookie information and you will see the following information:


The above figure demonstrate that we have two cookies that is being used till this page.

Second cookie which is an session:


I hope you have figured out the problem, so as our application has to be available online.

It’s prone to several attacks, and as a developer we majorly think about creating paper requirement into real life apps. I am here mentioning only a specific Best practice deviation which needed to be followed in order to resolve the attack from the hacker.

So what does this Secure Attribute is all about?

The secure attribute tells the browser to only use this cookie via secure/encrypted connections. Web servers should also set this cookie via secure channels and therefore prevent anyone from intercepting the cookie.

*Note: It is recommended that the ‘Secure’ attribute be set to True to ensure that the SSL connection is needed to access the cookie.

Solution or Best Practise:

Add

<system.web>

<httpCookies requireSSL=”true”/>

requireSSL: Sets a value indicating whether Secure Sockets Layer (SSL) communication is required.

This is to be added in deployment server, this tag will enable Secure flag in ASP.NET session cookies, this will need a SSL certificate in local machine if enabled.

To enable Secure flag for authentication Cookie we need to add following code in global.asax file:


This below code will execute at end of every request and will check if the Forms Authentication is null of not. If not than set cookie as secure. Once I did this I eventually solve the secure issue in authentication cookie as shown below:

After implementing the mentioned changes in the application:


I hope this best practise would be helpful to you all. Please feel free to reply and share the best practises you follow in order to develop your web application irrespective of the frameworks we use.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.