Lack of data validation - Session Cookie - C-Sharp

Lack of data validation - Session Cookie - C-Sharp

Need

Secure data validation for session cookies

Context

  • Usage of C# 7.0 for modern language features and enhancements
  • Usage of Microsoft.AspNetCore.Mvc for building web applications with ASP.NET Core
  • Usage of Microsoft.Extensions.DependencyInjection for Dependency Injection in .NET applications
  • Usage of Microsoft.Extensions.Caching.Memory for in-memory caching in .NET applications
  • Usage of Microsoft.AspNetCore.Session for managing user sessions in ASP.NET Core applications

Description

Non compliant code

        public class Startup
{
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddDistributedMemoryCache();

        services.AddSession(options =>
        {
            options.Cookie.Name = ".My.Session";
            options.IdleTimeout = TimeSpan.FromMinutes(30);
            options.Cookie.HttpOnly = true;
            options.Cookie.IsEssential = true;
        });
    }

    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        app.UseSession();
    }
}

public class HomeController : Controller
{
    public IActionResult Index()
    {
        HttpContext.Session.SetString("SessionKey", "Value");
        return View();
    }

    public IActionResult AnotherAction(string sessionKey)
    {
        var sessionValue = HttpContext.Session.GetString(sessionKey);
        // Do something with sessionValue
        return View();
    }
}
        
        

In the above code, the Startup class is used to configure session cookies for the application. The ConfigureServices method sets up the session options and the Configure method enables the use of session state in the application.

In the HomeController, the Index action sets a session value with the key "SessionKey". The AnotherAction action retrieves a session value using a key provided in the request.

The vulnerability here is that there is no validation of the session key that is provided in the AnotherAction request. This means that an attacker could potentially provide any key and retrieve the corresponding session value. This could lead to unauthorized access to sensitive information or manipulation of the session state.

Steps

  • Implement server-side data validation for the session cookie value.
  • Use a secure method to generate the session cookie value.
  • Ensure that the session cookie is not directly modifiable by the client.
  • Consider using a secure session management library or framework.

Compliant code

        public class Startup
{
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddDistributedMemoryCache();

        services.AddSession(options =>
        {
            options.Cookie.Name = ".My.Session";
            options.IdleTimeout = TimeSpan.FromMinutes(30);
            options.Cookie.HttpOnly = true;
            options.Cookie.IsEssential = true;
            options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
        });
    }

    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        app.UseSession();
    }
}

public class HomeController : Controller
{
    public IActionResult Index()
    {
        var sessionKey = Guid.NewGuid().ToString();
        HttpContext.Session.SetString(sessionKey, "Value");
        return View();
    }

    public IActionResult AnotherAction(string sessionKey)
    {
        if (HttpContext.Session.TryGetValue(sessionKey, out byte[] _))
        {
            var sessionValue = HttpContext.Session.GetString(sessionKey);
            // Do something with sessionValue
            return View();
        }
        else
        {
            return BadRequest("Invalid session key");
        }
    }
}
        
        

The updated code now includes server-side validation for the session cookie value. The session key is generated using a secure method ( Guid.NewGuid().ToString()) and is not directly modifiable by the client.

In the ConfigureServices method, the CookieSecurePolicy is set to Always, which ensures that the cookie is always sent over HTTPS, providing an additional layer of security.

In the AnotherAction method, the TryGetValue method is used to check if the session key exists in the session before attempting to retrieve its value. If the session key does not exist, a BadRequest response is returned, indicating that the provided session key is invalid. This prevents an attacker from being able to manipulate the session cookie value to gain unauthorized access to the application.

References