Reino: Environment

Esta seção contém tudo o que fica fora do código-fonte, porém que é essencial para a segurança do produto que está sendo criado. Como os problemas tratados neste domínio não são diretamente relacionados com o código-fonte, nós o separamos dos demais domínios.

ASP.NET Misconfiguration: Excessive Session Timeout

C#/VB.NET/ASP.NET

Abstract

Um tempo limite de autenticação excessivamente longo dá aos invasores mais tempo para comprometer as contas do usuário.

Explanation

Quanto mais tempo uma sessão fica aberta, maior a janela de oportunidade que um invasor tem para comprometer contas de usuário. Enquanto uma sessão permanece ativa, um invasor pode ser capaz de aplicar força bruta à senha de um usuário, quebrar a chave de criptografia sem fio de um usuário ou comandar uma sessão de um navegador aberto. Tempos limites de autenticação mais longos também podem impedir que a memória seja liberada e, eventualmente, resultar em uma denial of service se um número suficientemente grande de sessões for criado.

Exemplo 1: O exemplo a seguir mostra a ASP.NET MVC configurada com um tempo limite de autenticação de uma hora.


...
<configuration>
  <system.web>
  <authentication>
    <forms
      timeout="60" />
  </authentication>
  </system.web>
</configuration>
...

Se o atributo de tempo limite não for especificado, o tempo limite de autenticação será de 30 minutos.

References

[1] MSDN ASP.NET Session State

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[6] Standards Mapping - CIS Kubernetes Benchmark partial

[7] Standards Mapping - Common Weakness Enumeration CWE ID 613

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000879, CCI-002361

[9] Standards Mapping - FIPS200 IA

[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-12 Session Termination (P2)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-12 Session Termination

[13] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management

[14] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management

[15] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management

[16] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management

[17] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication

[18] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures

[19] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.8.1 Single or Multi Factor One Time Verifier Requirements (L1 L2 L3), 2.8.6 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.3.1 Session Logout and Timeout Requirements (L1 L2 L3), 3.3.2 Session Logout and Timeout Requirements (L1 L2 L3), 3.3.4 Session Logout and Timeout Requirements (L2 L3), 3.6.1 Re-authentication from a Federation or Assertion (L3), 3.6.2 Re-authentication from a Federation or Assertion (L3)

[21] Standards Mapping - OWASP Mobile 2014 M9 Improper Session Handling

[22] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3, Requirement 8.5.15

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7, Requirement 8.5.15

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 8.5.15

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10, Requirement 8.1.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10, Requirement 8.1.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10, Requirement 8.1.8

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10, Requirement 8.1.8

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 8.2.8

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.3 - Authentication and Access Control

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.3 - Authentication and Access Control

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls, Control Objective C.2.3.2 - Web Software Access Controls

[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3415 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3415 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3415 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3415 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3415 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3415 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3415 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Session Expiration (WASC-47)

[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Session Expiration

desc.config.dotnet.asp_dotnet_misconfiguration_excessive_session_timeout