Explore security issues related to ASP. NET Forms authentication

ASP. NET Forms verification is mainly used to prevent Forms from being cracked and endangering website security. Today, we will start with simple Forms and explain the consequences of the crisis.

ASP. NET provides built-in login authentication, the most common is Forms authentication. There are many articles on how to configure and use this verification method. The following describes some of the security issues that have been ignored. In fact, it is no problem, and some problems will come out of the way it is used.

This article will focus on the security issues that will be encountered in practical applications in three parts, and study and try to propose solutions.

I. Simple Forms cracking crisis

Ii. Vertical website Division Forms cracking crisis

Iii. What are the consequences of the crisis?

I. Simple Forms cracking crisis

The simplest ASP. NET Forms authentication is to configure nodes in web. config:

 
 

  
  
<authentication mode="Forms"> 
  
  
    <forms name=".MyCookies"></forms> 
  
  
</authentication> 
 
 

Compile a help class:

 
 

  
  
CookieHelper class
  
  
Public Static ClassCookieHelper {
  
  
Public Static StringEncrypt (StringName,StringValue ){
  
  
FormsAuthenticationTicket ticket =NewFormsAuthenticationTicket (1, name, DateTime. Now, DateTime. Now. AddDays (1 ),True, Value,"/");
  
  
StringAuthTicket = FormsAuthentication. Encrypt (ticket );
  
  
ReturnAuthTicket;
  
  
}
  
  
 
  
  
Public Static VoidSet (StringName,StringValue ){
  
  
HttpCookie cookie =NewHttpCookie (FormsAuthentication. FormsCookieName, Encrypt (name, value ));
  
  
Cookie. Expires = DateTime. Now. AddDays (1 );
  
  
If(HttpContext. Current. Response. Cookies [FormsAuthentication. FormsCookieName] =Null)
  
  
HttpContext. Current. Response. Cookies. Add (cookie );
  
  
Else 
  
  
HttpContext. Current. Response. Cookies. Set (cookie );
  
  
}
  
  
 
  
  
Public Static StringGet (){
  
  
If(HttpContext. Current. Request. Cookies [FormsAuthentication. FormsCookieName] =Null)
  
  
Return Null;
  
  
Else{
  
  
ReturnHttpContext. Current. Request. Cookies [FormsAuthentication. FormsCookieName]. Value;
  
  
}
  
  
}
  
  
 
  
  
Public StaticFormsAuthenticationTicket Decrypt (StringValue ){
  
  
ReturnFormsAuthentication. Decrypt (value );
  
  
}
  
  
}
 
 

Create site SiteA

Create site SiteB

Set the Cookie on the SiteA page:

CookieHelper. Set ("yurow", "123123 ");

OK! In this way, a Cookie is created in SiteA, and there is no problem in itself. However, we often ignore some issues. As you can see, I have provided the Decrypt method in the CookieHelper class, which can Decrypt cookies. The problem lies here! Why? Don't know? Then let the poor man explain to the donor. On such a website, I will perform the following operations:

1. I have registered an account;

2. I use this account to log on to Firefox for convenience );

3. Open Firebug and enable Network Monitoring for the website;

4. Refresh the logon page;

5. You can see a piece of Cookie ciphertext in the HTTP header monitored on this page. For example:

. MyCookie = 32DDE0B4E858248037E4D082EF7E9C9BC607B7AA878F8DD
7DE7C13630A5A38FD9A9DA89B709E79F97D05DEEFC9D55A45D29051D
66955439055D01476E8659E34ABDB42FA0018020194F26618FE74E11B
Such a string.

OK. Create a page in SiteB, add an input box and a button in the middle, and write the following events:

Decryption code

 
 

  
  
protected void Button1_Click(object sender, EventArgs e) {  
  
  
    string text = TextBox1.Text;  
  
  
    if (!string.IsNullOrEmpty(text)) {  
  
  
        FormsAuthenticationTicket ticket = CookieHelper.Decrypt(text);  
  
  
        Type type = ticket.GetType();  
  
  
        PropertyInfo[] properties = type.GetProperties();  
  
  
        StringBuilder sb = new StringBuilder();  
  
  
        foreach (PropertyInfo propertie in properties) {  
  
  
            string name = propertie.Name;  
  
  
            string val = propertie.GetValue(ticket, null).ToString();  
  
  
            sb.Append(name);  
  
  
            sb.Append(":");  
  
  
            sb.Append(val);  
  
  
            sb.Append("\r\n");  
  
  
        }  
  
  
        //textBox2.Text = sb.ToString();  
  
  
        Response.Write(sb.ToString());  
  
  
    }  
  
  
} 
 
 

Copy the ciphertext of the Cookie above to the SiteB page. Click the decrypt button to see what it is?

Version: 1 Name: yurow Expiration: 2009-9-23 19:12:44 IssueDate: 2009-9-22 19:12:44 IsPersistent: True Expired: False UserData: 123123 CookiePath :/

How is it? All information is decrypted! However, it seems that it was too early to decrypt the data and the ciphertext of others' cookies. For the moment, let's talk about vertical division of site security risks.

Ii. Vertical website Division Forms cracking crisis

Vertical division of the site its external performance is generally multi-domain name N multiple sites. For example, space.cnblogs.com and news.cnblogs.com in the blog Park. In the first part of the description above, the poor path seems to have missed the question about setting the machineKey. That's because it should be left here. If it's all said above, what should we talk about now?

Yes, we can set it in web. config.

<MachineKey validationKey = "*********" decryptionKey = "*********" validation = "SHA1" decryption = "3DES"/>

Such a node. If this is set on Site A, SiteB will not be able to correctly decrypt the Cookie ciphertext generated by SiteA unless Site B also sets nodes with the same KEY. It seems that the General website has set this, as if we don't need to worry about it!

Yes. This is generally the case. However, many companies have high mobility, and I believe there are many people who can access web. config in Vertical Split sites. This will allow some people, of course, not including the poor path, to easily obtain this key data. What can this data do? Why? I have configured this node in the Web. config of my own website on SiteB, so that the Cookie ciphertext of the target website can be easily unlocked. In order to ensure the security of this aspect, we have to make the Cookie encryption and decryption part into a service, which is not only easy to update, but also allows as few people as possible to contact, to prevent security problems from being magnified. Otherwise, if someone leaves the company or suffers computer viruses, it is best to change the machineKey. Otherwise? Otherwise, problems may occur. What's wrong? This is what we will talk about below.

Iii. What are the consequences of the crisis?

What are the consequences of the leakage of encrypted keys? The consequences are serious. The preceding example shows the key information contained in the Cookie ciphertext of the website. Instead, we need CookieHelper class. Based on this key information, we can easily create a cookie ciphertext. Write the cookie ciphertext into the Coookies of the target website, and you will be deemed to have logged on. In addition, the authentication we use here may be a user name or ID maintained by the Cookie .) Usernames can be forged at will, that is, users who do not exist can post messages! If you perform verification in the post operation every time, it will undoubtedly increase the burden on the server, and the best way is not to leak the Encrypted KEY. If this method is inappropriate, users can be forged. I tried some websites a few months ago, and forged user posts will render a forum layout or even the homepage inaccessible ), it can also be forged into an administrator account. It is hard to imagine that if you use another user's account or administrator's account to post a message at will, what will happen to the negative impact?

OK. Are you aware of the problem?

This article is from Birdshover's blog garden Article ASP. NET Forms authentication security research-Why encryption code needs to be configured as a service

1. ASP. net mvc unit test: confusing the Path attribute of the HttpContext class
2. Custom ControllerFactory: interface implementation, supporting Area
3. ASP. NET Routing
4. Add custom routes for ASP. net mvc applications
5. Learning how to use ASP. net mvc Routing