We have a project based on ASP.NET webform with .NET version 4.8 where we have used Infragistics web 21.1.20211.2
We have User Interface where user can upload multiple files of different extension and we have a validation for each files.
While testing the file upload mechanism, it was discovered that Infragistics stores session data in the URL, as depicted in the image below.
User A is authenticated to the application with valid credentials. Now, let's consider a scenario where User B gains access to User A's machine and sees the URL containing the session information. In this situation, User B could potentially upload random files and access sensitive user information using the session key stored in the URL.
While testing with the Burp Suite tool, it was discovered that even after removing the cookies, the file upload process remained successful due to the session being present in the POST URL
Concern:
A random attacker can use session id/key present in the post URL and upload random files to access information. Could you please suggest on this?
Hello Aman,
Thank you for posting into our community!
I have been looking into your question and the provided screenshot, and what I noticed is that the session data is added to the cid parameter. This parameter is set via the controlId option and while looking into the ui.igUpload control’s implementation, there does not seem to be a configuration that results in setting the session data to this option.
Additionally, I have tested this behavior in our File Upload - ASP.NET MVC sample here, and when uploading a file, the request URL includes &cid=serverID1, which is set in the igUpload configuration:
@( Html.Infragistics().Upload() .ID("igUpload1") .Mode(UploadMode.Single) .AutoStartUpload(true) .ProgressUrl(Url.Content("~/IGUploadStatusHandler.ashx")) .ControlId("serverID1") .Render() )
I am not sure of the overall configuration of your application, however, having the abovementioned in mind, this leeds me to think that the ControlId property is set in a way that the session data is included in it.
Could you please check if this is the case?
In case it is not, in order to assist you further, it would be highly appreciated if you could provide me with a small sample that demonstrates the described behavior.
Having a sample that I can debug on my side will be extremely helpful in further investigating this matter and providing you with a solution as soon as possible.
Thank you for your cooperation. Looking forward to your reply.
Sincerely, Riva Ivanova Software Developer
I’ve encountered this issue too. A possible workaround is to handle session keys server-side and pass them as headers rather than embedding them in the URL. It helps avoid security risks and keeps things cleaner. Let me know if this works! Additionally, I found a helpful online platform called DoMyPaper, which can assist students in improving their writing skills at all academic levels. I encourage you to visit https://domypaper.com to enhance your writing abilities. I've been using their service for the past five months, and it has been an excellent experience. DoMyPaper has a team of expert writers who deliver high-quality material for their users, providing essays, dissertations, for students at all levels.