All geek questions in one place

What to do when your users get hacked

I recently saw a trend in my user agent log files "Microsoft URL Control - 6.01.9782" causing problems. When I track IP, it comes from China or India. Our site is very local, so we get very few visitors from outside the city.

Interestingly, the new is that I see a valid registered user through openID. My guess about what is happening is that the cookies of computer users are cloned and the virus captures the session. I use asp.net built-in authentication to process my cookies, and Microsoft does not include any checks for the IP or user agent, so I know that I can copy cookies and fake the log.

I have seen both Google and Facebook accounts like this.

My questions:

A) Is there an easy way to make asp.net authentication more secure?

B) What to do with these accounts? (best practice) I do not collect any personal information and cannot contact some of my users.

+4
source share
2 answers

You can use HttpOnly, which prevents the client-side script from accessing the cookie via the document.cookie property. Cookies will still be circular, but will not be accessible by script and will not be stolen.

With ASP.NET 1.1, add the code below to Global.asax:

protected void Application_EndRequest(Object sender, EventArgs e) { foreach(string cookie in Response.Cookies) { const string HTTPONLY = ";HttpOnly"; string path = Response.Cookies[cookie].Path; if (path.EndsWith(HTTPONLY) == false) { //force HttpOnly to be added to the cookie Response.Cookies[cookie].Path += HTTPONLY; } } }

With ASP.NET 2.0 and higher, you can use web.config:

 <system.web> <httpCookies httpOnlyCookies="true" /> </system.web>

If security is something very important on your system, the best approach is to invest in an SSL (Secure Sockets Layer) connection to your site. You can then set the cookie property, which causes the cookie to be sent only if an SSL connection is present. SSL does not protect the cookie from reading or manipulation while it is on the user's computer, but it prevents the cookie from being read during transport because the cookie is encrypted. This approach requires an SSL certificate.

This can be done in the httpcookies web.config element.

 <system.web> <httpCookies requireSSL="true" /> </system.web>

If the connection is not SSL, the cookie is not sent to the server.

More details:

ASP.NET Cookies FAQ

Develop and deploy secure web applications using ASP.NET 2.0 and IIS 6.0

+1
source

You need to think about security boundaries here. If the end user’s PC is hacked, you can’t do anything on your site to make sure that the attacker cannot behave like that user. A well-designed piece of malware can fully function as a user, see everything that they see, and capture everything, including the passwords that they type.

the responsible thing, and in fact, which sites, such as google, should notify the user that their account was obtained from a suspicious IP address and provide them with links to information on how to clear their PC, change your password to all sites (especially their email provider) and prevent identity theft. You can do this with a batch job, mark your accounts and display a bright red warning sign the next time you log in, or even send them an email to let them know what is going on.

0
source

Source: https://habr.com/ru/post/1402933/

More articles:


All Articles