5

I had a rather interesting case of hacking on my ASP.Net MVC website. For this website I had implemented a rather uncomplicated authentication system for my admin area -- an encrypted cookie which had an identifying signature for the member. Whenever the admin visits the website the cookie would be decrypted and signature verified. If matching he wouldn't have to sign in.

Couple of days ago a visitor on my site told me that he was able to sign into my website simply by clicking no a referral link on his Statcounter console which pointed to my admin area (I had visited his site from a link inside my admin view).

He just clicked on a link in statcounter and he was signed in as the admin!

The only way this could have happened was if statcounter somehow recorded my cookies and used those when he clicked on the link pointing to my admin!

Is that logical or fathomable?

I don't understand what's going on. Do you have any suggestions as to how I can protect my website against things like this?

Update : I created an IP address whitelisting system to protect my admin from unauthorised access. Basically the server will now compare the IP address of the visitor against a whitelist and only allow access if the ip address is in that list. It also supports wildcards so it will be okay even for dynamic ip addresses.

Although it is not foolproof, but it takes up the security many notches.

AstroCB
  • 12,337
  • 20
  • 57
  • 73
Cyril Gupta
  • 13,505
  • 11
  • 64
  • 87

5 Answers5

3

I don't know how you did the authentication on your site, but this is how I did it, and I don't thing that anyone could break this one:

var authTicket = new FormsAuthenticationTicket(
          1,
          userName,  //user id
          DateTime.Now,
          DateTime.Now.AddMinutes(20),  // expiry
          createPersistentCookie, 
          null,
          "/");

        var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(authTicket));

        HttpContext.Current.Response.Cookies.Add(cookie);

this uses FormsAuthentication and it encrypts the cookie using the key from your machine.config

Cyril Gupta
  • 13,505
  • 11
  • 64
  • 87
Omu
  • 69,856
  • 92
  • 277
  • 407
  • No, I didn't use forms-authentication. I rolled my own and I was pretty convinced it shouldn't break. But apparently it has... And not due to willful hacking, just a link clicked. – Cyril Gupta Mar 20 '10 at 10:53
  • 2
    Why don't you like FormsAuthentication or WindowsAuthentication, is it not secure enough ?, I didn't heard anyone breaking those 2 – Omu Mar 20 '10 at 10:58
2

I don't see how that could have happened via StatCounter - even if it exposed the link to your admin area as described, his local machine wouldn't have the authentication cookie. Ask him to send you the link he followed, and try it yourself on a browser you don't normally use, or a different PC. My guess is there's something flawed in your authentication system that means that a link to the admin area automatically works if someone (ie, you) is already logged in elsewhere. Alternatively, the link includes your full credentials and that's not StatCounter's fault.

MartW
  • 12,348
  • 3
  • 44
  • 68
  • I am not using a static or global variable to hold the login details. It's done through the ViewData dictionary, so I don't think the issue you have outlined could have occurred. Do you have any other ideas. – Cyril Gupta Mar 20 '10 at 10:54
0

No, StatCounter doesn't keep a record of cookies!

Cookies can only be sent to/from their originating domain, so the cookies for your site could never have been sent to StatCounter anyway.

My guess is that the original member who accessed your admin site didn't have cookies enabled, and your .net website fell back to URL encoding the session id.

This session-encoded-in-a-url was recorded by StatCounter as a referral link, which leaked out the authentication.

More info: Session Hijacking Protection in ASP.NET

Community
  • 1
  • 1
EoghanM
  • 25,161
  • 23
  • 90
  • 123
0

Probably the site is vulnerable to passive XSS. I can you help, but you need post the site address.

For future, if you want to protect your (or user) cookie, set it like this:

$cookie = encoded($user-ip-address);


Next, to verify signature:

if ( decoded($cookie) == $user-ip-address ){
    //succesefull login
}
Victor
  • 5,493
  • 1
  • 27
  • 28
  • But the user's IP address is not permanent for most users and this is a long-term cookie (remember me). How can I use this? – Cyril Gupta Mar 20 '10 at 11:58
  • If login is not successful, you can show a login form, or, send an email with special link to user and inform it about this. Also, when is set cookie, is not required to use only IP, you can use subnet. For more secure, you can combine subnet + OS or Browser version. – Victor Mar 21 '10 at 01:03
0

Sounds like a stolen cookie via XSS. Pretty old article but this interest you.

KMån
  • 9,896
  • 2
  • 31
  • 41