1

I developed an application using C# and ASP.NET MCV4. In IIS it is set to use Windows authentication which uses only the Kerberos provider.

I used Burp Suite to make tests against poor cookies randomness at login page. Selected text in the picture was chosen to test how much variable changes during 20k requests.

enter image description here

Results show that estimated entropy is 0 – so variable doesn't change at all.

enter image description here

What are options are there to increase randomness of selected part of header? What are general methods to increase randomness of session variables stored in cookies?

SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
caruso
  • 191
  • 10
  • 4
    The header that you have highlighted is not a cookie and it is not random. It is a header used for NTLM authentication and this header is initially negotiated to authenticate your Windows identity. After the negotiation the header is reused for the entire session to avoid having a negotiation step on each request. Presumably this is why it does not change during your test. – Martin Liversage Mar 10 '15 at 13:50

1 Answers1

0

As @MartinLiversage, this isn't the cookie at all: it's a header from the [MS-N2HT]: Negotiate and Nego2 HTTP Authentication Protocol, which is being used when server recieved the request to protected object without proper auth data.

As you can see, in your case the schema is Authenticate:Negotiate so no need to worry about some data being exposed:

The initial WWW-Authenticate header does not carry any auth-data when the header is "WWW-Authenticate:negotiate"; it does carry data when the header is "WWW-Authenticate:Nego2".

More over, this header is simply base64-string and can be easily decripted:

How do I decode a base64 encoded string?

As for the cookies in general, try to add some salt and use the implemented crypto providers, say, RSA provider or something. The question in given form is too broad to find one solution.

Community
  • 1
  • 1
VMAtm
  • 27,943
  • 17
  • 79
  • 125