In today's blog post, we will be discussing how session can be hijacked using Elmah logs.
In order to add Elmah to the application, we just need to add Elmah.Mvc (since it's MVC application, we should use Elmah.Mvc) via the Nuget Package Manager.
Once it's added to the project, we can navigate to /Elmah and see all the error logs. If we navigate to the exception details, we can see all kinds of information about the exception like call stack, timestamp, logged in user, request URL, etc. Other than these, there is another very important piece of information that is available i.e. Cookies (esp. AspNet.ApplicationCookie).
So I have an application where Employee records are maintained and some users have access to the edit functionality and some are allowed to only view the records but not edit them.
So when innocentuser@xyz.com logs in, he is able to edit the employee record. But when malicioususer@xyz.com tries to access the Edit page, he gets unauthorized error. Now if the malicious user is able to access Elmah records, he can look at the Auth cookie value and copy it and paste it in his browser.
In order to accomplish this attack, I installed this Google Chrome extension called "EditThisCookie". This extension allows me to edit the cookie values. So the malicious user can copy the value from Elmah log and put it in the AspNet.ApplicationCookie. And that's it, now the malicious user has hijacked the innocentuser's session and is logged in as the innocent user. He can access the Employee edit page (or other privileged information which he was not allowed to access).
By default, the Elmah logs are not available to be accessed remotely. In order to allow them to be accessible we need to add this to our config file:
If we allow them to be remotely accessible, we need to configure who
should have access to it. By setting requiresAuthentication to true, we
make sure that the user has to be logged in in order to access the Elmah
logs. We can also set specific roles or specific users who should have
the access.
So according to the application needs, Elmah should be accessible to specific roles or users.
For future updates to my weekly blog, please subscribe to my blog via the "Subscribe By Email" feature at the right.
Elmah
Elmah stands for Error Logging Modules and Handlers. It's used to log all kinds of errors across the application. One can view all the unhandled exceptions in the application in production environment.In order to add Elmah to the application, we just need to add Elmah.Mvc (since it's MVC application, we should use Elmah.Mvc) via the Nuget Package Manager.
Once it's added to the project, we can navigate to /Elmah and see all the error logs. If we navigate to the exception details, we can see all kinds of information about the exception like call stack, timestamp, logged in user, request URL, etc. Other than these, there is another very important piece of information that is available i.e. Cookies (esp. AspNet.ApplicationCookie).
Session Hijacking
Session Hijacking attack comprises of stealing the session token used to identify a particular session, generally to gain unauthorized access to the web server.So I have an application where Employee records are maintained and some users have access to the edit functionality and some are allowed to only view the records but not edit them.
So when innocentuser@xyz.com logs in, he is able to edit the employee record. But when malicioususer@xyz.com tries to access the Edit page, he gets unauthorized error. Now if the malicious user is able to access Elmah records, he can look at the Auth cookie value and copy it and paste it in his browser.
In order to accomplish this attack, I installed this Google Chrome extension called "EditThisCookie". This extension allows me to edit the cookie values. So the malicious user can copy the value from Elmah log and put it in the AspNet.ApplicationCookie. And that's it, now the malicious user has hijacked the innocentuser's session and is logged in as the innocent user. He can access the Employee edit page (or other privileged information which he was not allowed to access).
How to Prevent
Since the information exposed by Elmah logs is so sensitive, we need to take care of who can see all the logs. So proper configuration of Elmah is extremely important.By default, the Elmah logs are not available to be accessed remotely. In order to allow them to be accessible we need to add this to our config file:
<elmah> <security allowRemoteAccess="yes"/> </elmah>
<appSettings> <add key="elmah.mvc.disableHandler" value="false" /> <add key="elmah.mvc.disableHandleErrorFilter" value="false" /> <add key="elmah.mvc.requiresAuthentication" value="true" /> <add key="elmah.mvc.IgnoreDefaultRoute" value="false" /> <add key="elmah.mvc.allowedRoles" value="*" /> <add key="elmah.mvc.allowedUsers" value="innocentuser@xyz.com" /> <add key="elmah.mvc.route" value="elmah" /> <add key="elmah.mvc.UserAuthCaseSensitive" value="true" /> </appSettings>
So according to the application needs, Elmah should be accessible to specific roles or users.
Conclusion
So we saw how we can login into somebody's account just by looking at the Elmah logs. Therefore, proper configuration of Elmah is extermely important for the security of our web application.For future updates to my weekly blog, please subscribe to my blog via the "Subscribe By Email" feature at the right.
No comments:
Post a Comment