ABSTRACT

Storing a password in plaintext or using weak encryption could result in a system compromise.

EXPLANATION

ASP.NET applications can store user name and password pairs in <credentials> elements in the web.config file for an ASP.NET application, which supports plaintext, MD5 and SHA1 password formats.

Passwords stored in plaintext or using a weak encryption algorithm are accessible to anyone with the access to the application's configuration files. This may include the machine where the application is hosted or the source code repository where the application lives.

Example 1: The following web.config entry incorrectly stores its passwords in plaintext.


<configuration>
<system.web>
<authentication>
<forms protection="All">
<credentials passwordFormat="Clear">
<user name="user1" password="my_password"/>
<user name="user2" password="my_password1"/>
</credentials>
</forms>
</authentication>
</system.web>
</configuration>


ASP.NET supports credential passwords stored in three formats, specified by the passwordFormat attribute of the configuration/system.web/authentication/forms/credentials element. The possible values for this attribute are:

Clear - indicates that the password is stored in plaintext (least secure)
MD5 - indicates that the password's MD5 hash is stored
SHA1 - indicates that the password's SHA1 hash is stored (most secure)

While an MD5 hash is more secure than plaintext, researchers have found brute-force attacks against the MD5 hashing algorithm. At this time, a SHA1 hash still provides reasonable protection against such attacks.

REFERENCES

[1] .NET Framework General Reference: credentials Element Microsoft Corporation

[2] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A7 Insecure Cryptographic Storage

[3] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A8 Insecure Cryptographic Storage

[4] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A8 Insecure Storage

[5] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3210.1 CAT II, APP3340 CAT I

[6] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 260

[7] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Insufficient Authentication

[8] Standards Mapping - FIPS200 - (FISMA) MP

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 3.4, Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 3.4, Requirement 6.5.3, Requirement 8.4

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 3.4, Requirement 6.5.8, Requirement 8.4