Can a user use a role from one identity on a different identity

Discussion in 'ASP .Net Security' started by Jeffrey, Sep 27, 2007.

  1. Jeffrey

    Jeffrey Guest

    Thinking about my application, I am worried about an exploit that I am not
    proficient enough to test. Can a user use a set of roles (fully encrypted
    cookie) gained by logging in on one account and pass it to another session
    with a different logon. That could make an "account administrator" of a small
    account an "account administrator" of a large account for which she may only
    be an "account user".

    If this is true, it is a major flaw in asp.net. I am going to attempt to
    block this exploit by storing the user id with a prefix as if it is a role
    and verify that it is there. This is rather kludgy.
    Jeffrey, Sep 27, 2007
    #1
    1. Advertising

  2. Jeffrey

    Joe Kaplan Guest

    In a web app where cookies are used as a security mechanism, if those
    cookies are somehow stolen and can be reused by someone else, the thief can
    generally impersonate the user. That's one of the things that makes cross
    site scripting so dangerous.

    This danger is common to all web apps that use cookies and is not an issue
    specific to ASP.NET.

    The thing to think about is the different ways that a someone might be able
    to steal someone else's cookies. It could be cross site scripting or it
    could be by snooping on the network traffic. You can fight both of those by
    coding your app to avoid XSS attacks and using SSL to prevent snooping on
    the wire.

    If you are worried about one user just giving another user their cookies,
    there isn't a lot you can do about that. They would probably just give the
    user their password instead as that is much easier.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Jeffrey" <> wrote in message
    news:...
    > Thinking about my application, I am worried about an exploit that I am not
    > proficient enough to test. Can a user use a set of roles (fully encrypted
    > cookie) gained by logging in on one account and pass it to another session
    > with a different logon. That could make an "account administrator" of a
    > small
    > account an "account administrator" of a large account for which she may
    > only
    > be an "account user".
    >
    > If this is true, it is a major flaw in asp.net. I am going to attempt to
    > block this exploit by storing the user id with a prefix as if it is a role
    > and verify that it is there. This is rather kludgy.
    Joe Kaplan, Sep 27, 2007
    #2
    1. Advertising

  3. Jeffrey

    Jeffrey Guest

    Re: Can a user use a role from one identity on a different identit

    Actually, what I am worried about is the same user who has two different
    logins. It would not be hard for MS to include the user id in the role cookie
    and verify that it matches the users authentication cookie, but I do not see
    any evidence that they do that. Before I converted to ASP.net 2.0 providers,
    this was not an issue because I stuffed the roles into the authorization
    cookie and they could not be seperated.

    -- Jeffrey

    "Joe Kaplan" wrote:

    > In a web app where cookies are used as a security mechanism, if those
    > cookies are somehow stolen and can be reused by someone else, the thief can
    > generally impersonate the user. That's one of the things that makes cross
    > site scripting so dangerous.
    >
    > This danger is common to all web apps that use cookies and is not an issue
    > specific to ASP.NET.
    >
    > The thing to think about is the different ways that a someone might be able
    > to steal someone else's cookies. It could be cross site scripting or it
    > could be by snooping on the network traffic. You can fight both of those by
    > coding your app to avoid XSS attacks and using SSL to prevent snooping on
    > the wire.
    >
    > If you are worried about one user just giving another user their cookies,
    > there isn't a lot you can do about that. They would probably just give the
    > user their password instead as that is much easier.
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > --
    > "Jeffrey" <> wrote in message
    > news:...
    > > Thinking about my application, I am worried about an exploit that I am not
    > > proficient enough to test. Can a user use a set of roles (fully encrypted
    > > cookie) gained by logging in on one account and pass it to another session
    > > with a different logon. That could make an "account administrator" of a
    > > small
    > > account an "account administrator" of a large account for which she may
    > > only
    > > be an "account user".
    > >
    > > If this is true, it is a major flaw in asp.net. I am going to attempt to
    > > block this exploit by storing the user id with a prefix as if it is a role
    > > and verify that it is there. This is rather kludgy.

    >
    >
    >
    Jeffrey, Sep 27, 2007
    #3
  4. Jeffrey

    Joe Kaplan Guest

    Re: Can a user use a role from one identity on a different identit

    It reissues the role cookie when you log in though, so if you had a previous
    cookie, it would get overwritten. I don't see an issue with that
    necessarily.

    I don't know if they have anything inside the data in the cookie that
    attempts to match it with the authentication info to ensure if they are a
    match or not though. If you are concerned about whether or not that
    happens, you would need to do some more investigation.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Jeffrey" <> wrote in message
    news:...
    > Actually, what I am worried about is the same user who has two different
    > logins. It would not be hard for MS to include the user id in the role
    > cookie
    > and verify that it matches the users authentication cookie, but I do not
    > see
    > any evidence that they do that. Before I converted to ASP.net 2.0
    > providers,
    > this was not an issue because I stuffed the roles into the authorization
    > cookie and they could not be seperated.
    >
    > -- Jeffrey
    >
    Joe Kaplan, Sep 27, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jesper Stocholm
    Replies:
    2
    Views:
    8,073
    John Saunders
    Aug 23, 2003
  2. Giovanni Bassi
    Replies:
    0
    Views:
    628
    Giovanni Bassi
    Oct 20, 2003
  3. Liet Kynes
    Replies:
    0
    Views:
    476
    Liet Kynes
    Nov 26, 2003
  4. nalbayo
    Replies:
    2
    Views:
    5,479
    Bruce Barker
    Nov 11, 2005
  5. Kursat
    Replies:
    1
    Views:
    302
    Dominick Baier
    May 7, 2007
Loading...

Share This Page