Replay Attacks For HTTPS Requests?

May 5, 2010

Let's say a security tester uses a proxy, say Fiddler, and records an HTTPS request using the administrator's credentials-- on replay of the entire request (including session and auth cookies) the security tester is able to succesfully (re)record transactions. The claim is that this is a sign of a CSRF vulnerability.

What would a malicious user have to do to intercept the HTTPS request and replay it? It this a task for script kiddies, well funded military hacking teams or time-traveling-alien technology? Is it really so easy to record the SSL sessions of users and replay them before the tickets expire?

No code in the application currently does anything interesting on HTTP GET, so AFAIK, tricking the admin into clicking a link or loading a image with a malicious URL isn't an issue.

View 6 Replies


Similar Messages:

Preventing Cookie Replay Attacks In MVC

Jan 22, 2010

This involves using the Membership provider to add a comment to users server side records when they log in and out, and then confirming that when a cookie is used to authenticate, that the user hasn't logged out. This makes perfect sense to me. Where this starts to fall apart is that we do not currently use a membership provider, and so it seems like I face reimplementing all our authentication code to use a membership provider. We currently check authentication in a controller, and make a call to FormsAuthentication.SetAuthCookie() once we know the user exists. It would be a lot of work to force a membership provider in.

Is all this work really neccesary. Can I roll my own key value store of cookie values to logged in users and just make sure I clear this when a user hits the logout button. If this seems unsafe is there a way of implementing a minimal Membership provider in order to make these checks without handing off all authentication code to it?

I guess my main problem here is that we decided a long time ago that the membership provider model doesnt fit with the model we use for locking and unlocking accounts, and chose not to use it. Now we find that the MS recommendations specifically mention a membership provider, and as this is security I need to be sure that not using it as they recommend isn't going to cause troubles.

View 2 Replies

Security :: How To Prevent ASMX (web Service) Replay Attacks

Jan 20, 2011

I have a ASP.NET XML web service (asmx) running on .NET 3.5. I am trying to figure out how best to prevent replay attacks. Is there any inherent security by .NET 3.5 that should mitigate this issue, or do I need some kind of SOAP header token value?

View 1 Replies

Selectively Redirecting HTTP Requests To HTTPS Requests?

Jun 18, 2010

What's the simplest and most effective way to selectively redirect HTTP requests to your ASP.NET page to its HTTPS equivalent? For example, if my page site URL is [URL], I want to redirect some (or all) page requests to [URL] What's the easiest way to do that?

View 2 Replies

How To Use The IIS7 URL Rewrite Module To Reroute HTTP Requests To HTTPs

May 6, 2010

I have web services built with ASP.NET and ASP.NET clients consuming them. When consuming the webservices, how would I to force the clients to use https?

I don't want to force the whole site to use https by turning on require SSL in IIS.

Can I use the IIS7 URL rewrite module to re-route http requests to https?

View 2 Replies

Preventing Reply Attacks In C#.net?

Mar 25, 2011

I am using c#.net web application.I will not allow reply attacks in my application.How do i prevent from the same.

View 3 Replies

SQL Queries Open To Injection Attacks?

Jan 29, 2010

I would now like to check if my code is still open to SQL Injections after this work. I believe the code is now working as it should, but any blinding errors that you see i'd love to hear about too. My code is now looking like:

-code removed-

View 5 Replies

Request Validation - Preventing Script Attacks?

Jan 21, 2010

When a user presses Button1 on the Webpage, I would like to copy slightly modified string from txt1 (Text) into txt2 (Text).
The problem is sometimes I get an error "a potentially dangerous request.form value was detected from the client validaterequest". I get this error when special symbols llike "<" or ">" are in txt1.Text.I've read about that problem. That error is to prevent from hackers who can input scripts into the txt1.All I did is:

1) Put validateRequest="false" into <%@ Page Language="VB" validateRequest="false" at Default.aspx.

2) Default.aspx.vb contains now:

sHTMLEncodedString = Server.HtmlEncode(txt1.Text))
[code]....

Now it works and allows to take any data from txt1, slightly modify it and put into txt2.So, my question is: Did a level of security was reduced after I wrote validateRequest="false" ? Any code should be added to keep the good level of security? Or, I'd better use another way to copy txt1 to txt2?

View 7 Replies

DataSource Controls :: Vulnerable To Sql Injection Attacks?

Jan 23, 2011

using a linqDataSource control... in the selecting event I have code like the following for a simple search feature:

[Code]....

In general, would dynamically building the 'Where' property of a linqDataSource be vulnerable to sql injection? Or does the control protect against this internally?

View 6 Replies

Due To The Presence Of Characters Known To Be Used In Cross Site Scripting Attacks?

Mar 9, 2011

where does following HTTP error message come from:

Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.

We're using dynamically generated URLs and in this specific case the URL contains the characters '<' or '>'. We do URL encode the generated URL (so '%3C' appeary instead of '<') but it doesn't Our setup is ASP.NET MVC / IIS 7.5 / IE8. It's strange but it looks like the error appears only on some machines. So it could be that the IE internet zone settings are playing a role.

View 1 Replies

Security :: Improve Security Vulnerabilities To Prevent Future Attacks?

Aug 17, 2010

I am using microsoft visual web developer 2010 to build and publish my website, I am facing a security problem. My website has authentication service for my clients, each one he has his own user name and password. After I introduced a new member, my database collapsed, may be this last member is a hacker. Is their a way to improve security vulnerabilities to prevent future attacks. May be through web.config, could be encrypted.

View 11 Replies

Deploying MVC 1.0 App With HTTPS?

Aug 19, 2010

We have an application built on ASP.NET MVC 1.0 which, once deployed, should be accessed with HTTPS. I tried few approaches for HTTPS but I have a few questions.:My home page does not need to be Secured (HTTPS), but rest of the hyperlinks following it will be Secured.I read about the action method attribute [requiresHTTPS] however I want to understand what happens to that tag during development on local machine. In a development enviroment, how do I install a certificate on a dev machine/virtual directory to code and test my changes.So this application is complex in nature and we have around 13 controllers and 50 action methods. This application will have information like Credit card numbers since we do accept payment through this website.

View 1 Replies

Capturing The HTTP Requests For A Particular URL?

Mar 21, 2011

How can I capture all the http requests for a particular URL in .NET?

View 1 Replies

.net - Requests Limit In IIS 7.5 (Windows 7)

Mar 3, 2011

I have experienced some troubles when using the IIS server at my workstation with Windows 7. This is a development machine and I don't need to use it as a production server or anything, but for some tests it's quite usefull to see what happens when a lot of requests comes concurrently (in this case even in the same session).

I have learned that with my edition of Windows 7, the limit of requests is 10, but I thought it only means the limit of requests that can be served at any point of time. What I am experiencing instead, is that after firing 10 requests one by one, if the first one didn't complete before the last one was fired, it never completes. The whole IIS is dead, no further requests are put in the worker process queue (there are already 10 requests there hanging so it kinda makes sense) and the only way to go on is to restart.

Is this a standard behavior that cannot be changed on Windows 7 and does firing 10 requests really have to kill IIS (or at least the current worker process) ? Is there some way to change the configuration to fix it (without compromising the setup by creating bunch of worker processes etc.) ?

View 1 Replies

How Parallel Requests Are Processed?

Oct 21, 2010

Let's imaging there are 2 pages on the web site: quick and slow. Requests to slow page are executed for a 1 minute, request to quick 5 seconds.Whole my development career I thought that if 1st started request is slow: he will do a (synchronous) call to DB... wait answer... If during this time request to quick page will be done, this request will be processed while system is waiting for response from DB.[URL] One instance of the HttpApplication class is used to process many requests in its lifetime. However, it can process only one request at a time. Thus, member variables can be used to store per-request data.Does it mean that my original thoughts are wrong?Could you please clarify what they mean? I am pretty sure that thing are as I expect...

View 2 Replies

Page Requests Itself (twice) As An Image?

Jul 26, 2010

When I open my page in Chrome and use the Resource Tracker, at the bottom of the list of requests, there are two GET requests to the aspx file. They take about 2 seconds each. Each request also causes a warning:

Resource interpreted as image but transferred with MIME type text/html.

why a page may be requesting itself, and why it is trying to use it as an image?

View 4 Replies

WCF / ASMX :: Concurrent Requests WCF + Net.tcp?

Nov 18, 2010

we are using the WCF service and hosted using a console application, now we are using LoadRunner and hitting it concurrently

Where giving 50 hits at a time few requests (26) gets completed successfully and remaining gives error TCP error code 10061: No connection could be made because the target machine actively refused it.

View 1 Replies

Can Combine WebResource.axd CSS Requests

Sep 15, 2010

I have developed some ASP.NET server controls which include their own javascript and css files. A lot of these controls use jQuery extensions which, as you know, often include their own css files.

I'm using Telerik's RadScript manager which combines the javascript like a boss. However, I'm using the AjaxToolkit's ClientCssResource attribute to include the css files in my server controls, and I have noticed that the CSS files are not getting combined at all. My pages have 10-15 WebResource.axd requests for css files for my server controls.

Everything I find only is about combining javascript, and nothing tells me how I can combine the CSS files. Does anyone know if there is a way to combine the CSS dynamically (I don't want to manually combine as each page might use a different subset of the server controls)?

View 2 Replies

Can Change All Requests Address

Oct 23, 2010

i am planning to host my all images from another domain which is cookiless but i dont want to alter my all image locations can i do this without changing image locations ?

View 5 Replies

Queues Up All Requests That Use The Same Session ID

Nov 30, 2010

It seems to me that ASP.net queues up all requests that use the same Session ID. Let's say you've got 3 pages. Default.aspx

protected void Page_Load(object sender, EventArgs e)
{
Session["asdf"] = "LOLZ";
}

Hitting this page would obviously create a new session if one doesn't exist.

X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=ibjphuv0aiafqi453tyze345; path=/; HttpOnly

Then you hit Hang.aspx

protected void Page_Load(object sender, EventArgs e)
{
Thread.Sleep(10000);
}

And immediately after you hit any other page that this session ID would be passed to, doesn't matter if it does anything, let's call it Test.aspx. The sequence for loading is like so.

Request Timeline
"GET /" |*|
"GET /Hang.aspx" |******************************************|
"GET /Test.aspx" |**************************************|

I guess my question is how do I disable this feature. I understand it's useful to have so that session state can be more predictable, however in my case a long running reports page load is killing users' ability to multitask.

View 1 Replies

WCF / ASMX :: Duplicate Requests Sent?

Sep 23, 2010

I am calling a web service in my aspx page. the web service (written in java) is acting as a middleware between my system and another system (Siebel) to which I send services and get response for these services. some requests are synchronous. Sometimes when invoking a method the response takes a long time to respond, so a time out exception is thrown.

The problem is that the web service is receiving the same request many times despite I am calling it only once.In my log file and database entries it is clear that the request is called only once. but in the middleware and Siebel side they are receving four or five requests for the same request sent by me.

Is this a bug in asp.net. is it possible that the server where my application is deployed is sending the request many times when not getting the response.Note: iam using Visual studion 2005. the application is deployed to windows server 2003.Iam not discussing the problem of time out. iam asking about the duplicate issue.

View 4 Replies

Requests Go Through Application_BeginRequest In Global?

Feb 17, 2011

I am trying to create a 404 handling page but I am now stuck with the page only working for .aspx files, which isn't really what I need.I am running on IIS6.The site has a wildcard mapping,for extensionless URLs.All requests go through Application_BeginRequest in Global.asax but not all errors go through Application_Error.Is there a way where I can get the Application_Error to raise for non .aspx files?

This is the code inside the Application_Error

HttpException serverError = (HttpException)Server.GetLastError();

if (serverError != null) {

[code]...

View 1 Replies

WCF / ASMX :: How To Get Raw Http Requests

Jan 20, 2011

I m invoking a web service and i would like to know if i get the raw http request?

View 4 Replies

Session.SessionID Changes Between Requests?

May 20, 2010

Why does the property SessionID on the Session-object in an ASP.NET-page change between requests?

I have a page like this:

...
<div>
SessionID: <%= SessionID %>
</div>
...

And the output keeps changing every time I hit F5, independent of browser.

I've seen this work correctly in other projects.

View 2 Replies

Change Http:// To Https://?

Jan 14, 2011

Boss want me to change all applications from http:// to https:// to make sites more secure.What steps should I take?

View 4 Replies







Copyrights 2005-15 www.BigResource.com, All rights reserved