Forums Ignite UI for ASP.NET Core
Your Privacy Matters: We use our own and third-party cookies to improve your experience on our website. By continuing to use the website we understand that you accept their use. Cookie Policy
Close
Aman Mahaseth
20
Infragistics web upload session key store in the URL issue
posted

We have a project based on ASP.NET webform with .NET version 4.8 where we have used Infragistics web 21.1.20211.2

We have User Interface where user can upload multiple files of different extension and we have a validation for each files.

While testing the file upload mechanism, it was discovered that Infragistics stores session data in the URL, as depicted in the image below.

User A is authenticated to the application with valid credentials. Now, let's consider a scenario where User B gains access to User A's machine and sees the URL containing the session information. In this situation, User B could potentially upload random files and access sensitive user information using the session key stored in the URL.

While testing with the Burp Suite tool, it was discovered that even after removing the cookies, the file upload process remained successful due to the session being present in the POST URL

 

Concern:

A random attacker can use session id/key present in the post URL and upload random files to access information. Could you please suggest on this?

Parents
No Data
Reply
  • 0
    Offline posted

    The issue described is a Session Fixation vulnerability where attackers exploit session IDs in URLs to upload malicious files and access sensitive information. To mitigate this in Ignite UI for ASP.NET Core, follow these steps:

    1. Avoid Exposing Session IDs in URLs: Use cookies for session management instead of passing session keys in URLs.
    2. Implement File Validation: Validate file types, sizes, and content on both client and server sides.
    3. Restrict Upload Permissions: Ensure proper user authentication and authorization for file uploads.
    4. Use CSRF Protection: Implement anti-CSRF tokens to prevent unauthorized actions.
    5. Regenerate Session IDs: Regenerate session keys upon user authentication to avoid fixation.
    6. Enable HTTPS: Encrypt session data in transit to prevent interception.

    Review application logs and monitor for suspicious activity to ensure system security.

Children
No Data