Resolving The A5-Security Misconfiguration

Hi Friends!

While developing an internet based application, I came across an issue in a security assessment report, which is mentioned as today’s topic of mine.

In order to elaborate on the problem, let's take an example of an application which uses cookies-based authentication. In order to see the actual problem, you need to add Web Developer extension in Chrome or Firefox web browser.

So, you create an ASP.NET MVC or ASP.NET Web Forms application and use cookies-based authentication in your web application. Sending a cookie over an un-encrypted channel might allow an attacker to eavesdrop and intercept the cookie which is quite dangerous. This attacks comes under A5-Security Misconfiguration.

Example - 

Once you have added the Web Developer extension and run the web application, go to Web Developer settings.

When you click on the Setting button, it will pop up with the list of options that you may be interested in, as shown below. Here I am focused on cookies information.

Go to view cookie information and you will see the following.

The above figure demonstrates that we have two cookies that are being used uthntil is page.

The second cookie is a session.

I hope you have figured out the problem. So, as our application is to be available online, it’s prone to several attacks, and as a developer, we primarily think about turning paper requirement into real life apps. I am here mentioning only a specific best practice deviation which needs to be followed, in order to resolve the attack from the hacker.

So, what is this Secure attribute all about?

The Secure attribute tells the browser to only use this cookie via secure/encrypted connections. Web servers should also set this cookie via secure channels and, therefore, prevent anyone from intercepting the cookie.

Note: It is recommended that the ‘Secure’ attribute is set to True, for ensuring that the SSL connection is needed to access the cookie.

Solution or Best Practice

  1. <system.web>  
  2. <httpCookies requireSSL="true" />  
  3. </system.web>  
  5. <httpCookies requireSSL="true" />  
requireSSL- Sets a value indicating whether Secure Sockets Layer (SSL) communication is required.

This is to be added on deployment server. This tag will enable Secure flag in ASP.NET session cookies and it will need a SSL certificate in local machine if enabled.

To enable the Secure flag for authentication of cookie, we need to add the following code in global.asax file. This code will execute at the end of every request and will check if the Forms Authentication is null of not. If not, then set cookie as Secure. Once I did this, I eventually solved the secure issue in authentication cookie, as shown below:

After implementing the mentioned changes in the application:

I hope this best practice would be helpful to you all. Please feel free to reply and share the best practices you follow, in order to develop your web application irrespective of the frameworks we use.