ASP.NET Misconfiguration: Excessive Session Timeout

ABSTRACT

如果 authentication 超時時間過長，攻擊者就會有更多時間危害用戶帳戶。

EXPLANATION

會話持續時間越長，攻擊者危害用戶帳戶的機會就越大。當會話處于活動狀態時，攻擊者可能會強力攻擊用戶的密碼、破解用戶的無線密鑰或者通過打開的瀏覽器強占會話。如果創建大量的會話，較長的 authentication 超時時間還會阻止系統釋放內存，并最終導致 denial of service。

例 1：下面的例子顯示的是配置了一小時 authentication 超時時間的 ASP.NET MVC。

...
<configuration>
<system.web>
<authentication>
<forms 
timeout="60" />
</authentication>
</system.web>
</configuration>
...

REFERENCES

[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A3 Broken Authentication and Session Management

[2] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A3 Broken Authentication and Session Management

[3] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A7 Broken Authentication and Session Management

[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3415 CAT II

[5] Standards Mapping - Security Technical Implementation Guide Version 3.4 - (STIG 3.4) APP3415 CAT II

[6] MSDN ASP.NET Session State

[7] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 613

[8] Standards Mapping - FIPS200 - (FISMA) IA

[9] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Insufficient Session Expiration

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.3, Requirement 8.5.15

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.5.7, Requirement 8.5.15

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.8, Requirement 8.5.15