계: Security Features

소프트웨어 보안은 보안 소프트웨어가 아닙니다. 여기서는 인증, 액세스 제어, 기밀성, 암호화, 권한 관리 등의 항목에 대해 설명합니다.

ASP.NET Misconfiguration: Persistent Authentication

C#/VB.NET/ASP.NET

Abstract

Persistent authentication 티켓은 사용자를 세션 하이재킹에 취약하게 합니다.

Explanation

FormsAuthentication.RedirectFromLoginPage() 메서드는 지정된 시간 동안 사용자를 인증 상태로 유지하는 authentication 티켓을 발행합니다. 이 메서드가 두 번째 인수 false와 함께 호출되면 이 메서드는 web.config에 지정된 시간 동안 유효한 임시 authentication 티켓을 발행합니다. 두 번째 인수 true와 함께 호출되면 이 메서드는 persistent authentication 티켓을 발행합니다. .NET 2.0에서 persistent authentication 티켓의 수명은 web.config의 값을 따르지만 .NET 1.1에서 persistent authentication 티켓은 지나치게 긴 수명 값(예: 50년)을 가집니다.

persistent authentication 티켓을 장시간 동안 유효하도록 허용하면 사용자 및 시스템에 다음과 같은 취약점이 나타납니다.

로그아웃에 실패한 사용자가 세션 하이재킹 공격에 노출되는 기간이 연장됩니다.

공격자가 추측에 사용할 수 있는 유효한 세션 식별자의 평균 수가 증가합니다.

공격자가 사용자 세션의 하이재킹에 성공하면 익스플로이트 기간이 늘어납니다.

References

[1] Jeff Prosise The Keep Sites Running Smoothly By Avoiding These 10 Common ASP.NET Pitfalls MSDN Magazine

[2] Standards Mapping - Common Weakness Enumeration CWE ID 302

[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287

[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287

[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287

[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287

[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287

[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001185, CCI-001941, CCI-001942

[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-2 Identification and Authentication (Organizational Users) (P1), IA-11 Re-Authentication (P0), SC-23 Session Authenticity (P1)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-2 Identification and Authentication (Organizational Users), SC-23 Session Authenticity

[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)

[15] Standards Mapping - OWASP Mobile 2014 M9 Improper Session Handling

[16] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management

[18] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management

[19] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management

[20] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management

[21] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication

[22] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3405 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3405 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3405 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3405 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3405 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3405 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3405 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I

[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I

[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I

[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001530 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I

[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001530 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I

[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)

[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication

desc.config.dotnet.asp_dotnet_misconfiguration_persistent_authentication