We have a project based on ASP.NET webform with .NET version 4.8 where we have used Infragistics web 21.1.20211.2
We have User Interface where user can upload multiple files of different extension and we have a validation for each files.
While testing the file upload mechanism, it was discovered that Infragistics stores session data in the URL, as depicted in the image below.
User A is authenticated to the application with valid credentials. Now, let's consider a scenario where User B gains access to User A's machine and sees the URL containing the session information. In this situation, User B could potentially upload random files and access sensitive user information using the session key stored in the URL.
While testing with the Burp Suite tool, it was discovered that even after removing the cookies, the file upload process remained successful due to the session being present in the POST URL
Concern:
A random attacker can use session id/key present in the post URL and upload random files to access information. Could you please suggest on this?
The issue described is a Session Fixation vulnerability where attackers exploit session IDs in URLs to upload malicious files and access sensitive information. To mitigate this in Ignite UI for ASP.NET Core, follow these steps:
Review application logs and monitor for suspicious activity to ensure system security.
Hello Aman,
Thank you for posting into our community!
I have been looking into your question and the provided screenshot, and what I noticed is that the session data is added to the cid parameter. This parameter is set via the controlId option and while looking into the ui.igUpload control’s implementation, there does not seem to be a configuration that results in setting the session data to this option.
Additionally, I have tested this behavior in our File Upload - ASP.NET MVC sample here, and when uploading a file, the request URL includes &cid=serverID1, which is set in the igUpload configuration:
@( Html.Infragistics().Upload() .ID("igUpload1") .Mode(UploadMode.Single) .AutoStartUpload(true) .ProgressUrl(Url.Content("~/IGUploadStatusHandler.ashx")) .ControlId("serverID1") .Render() )
I am not sure of the overall configuration of your application, however, having the abovementioned in mind, this leeds me to think that the ControlId property is set in a way that the session data is included in it.
Could you please check if this is the case?
In case it is not, in order to assist you further, it would be highly appreciated if you could provide me with a small sample that demonstrates the described behavior.
Having a sample that I can debug on my side will be extremely helpful in further investigating this matter and providing you with a solution as soon as possible.
Thank you for your cooperation. Looking forward to your reply.
Sincerely, Riva Ivanova Software Developer