ABSTRACT

Unprotected role information in cookies could be viewed or modified by attackers.

EXPLANATION

If the cacheRolesInCookie attribute of the configuration/system.web/authentication/forms element in web.config is set to true, then the roles for each user are cached in a cookie. If this information is stored in plaintext, anyone with access to machines used to interact with the application will have access to the information stored in the cookie. Worse yet, if attackers are allowed to arbitrarily modify the data stored in cookies, they can falsify information provided to the application and potentially alter its behavior to their advantage.

In many cases, an application can validate input from cookies programmatically according to the context in which it is used, but the ASP.NET validation framework provides an excellent way to verify that the cookie has not been modified unexpectedly. Without this approach, it is difficult, and often impossible, to establish with a high level of confidence that all input is validated.

REFERENCES

[1] .NET Framework General Reference: CookieProtectionValue Property Microsoft Corporation

[2] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A10 Insecure Configuration Management

[3] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A9 Insecure Communications

[4] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A9 Insufficient Transport Layer Protection

[5] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3210.1 CAT II

[6] Standards Mapping - FIPS200 - (FISMA) CM, SC

[7] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 302

[8] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Insufficient Authentication

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 4.1, Requirement 6.5.10

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 4.1, Requirement 6.5.4