Santa Clara, California – (via THE HOSTING NEWS) – September 6, 2005 – McAfee, Inc., a leader in intrusion prevention, has announced that its leading security services group, Foundstone Professional Services, a division of McAfee, will release a whitepaper on Microsoft ASP.NET Forms Authentication and specifically dealing with signing out users.
The whitepaper is a result of a bug discovered by Rudolph Araujo, senior software security consultant with Foundstone Professional Services. The whitepaper will highlight how web developers can protect themselves from this flaw. The paper can be downloaded from the Foundstone site at: http://www.foundstone.com/resources/whitepapers.htm.
The whitepaper describes the limitations of the FormsAuthentication.SignOut method and provides more information about how to ease cookie replay attacks when a forms authentication cookie may have been obtained by a malicious user. The paper introduces methods that web developers can employ to reduce cookie replay attacks in the ASP.NET applications. Some of these methods include:
— Use SSL by configuring the Web application in Microsoft Internet
Information Services. This ensures the forms authentication feature
will never issue a cookie over a non-SSL connection.
— Enforce TTL and use absolute expiration instead of sliding
— Use HttpOnly cookies to ensure that cookies cannot be accessed
through client script, reducing the chances of replay attacks.
— Use the membership class in ASP.NET 2.0 only in order to protect
forms authentication cookies from being used maliciously by storing
user information in the MembershipUser object.
In response to this discovery, Microsoft has developed a Knowledge Base article detailing the limitations of the FormAuthentication.SignOut method and can be downloaded at:
“Securing an enterprise web site demands proactive and constant vigilance, and McAfee’s Foundstone Professional Services division is dedicated to providing application developers with the knowledge needed to establish effective defenses against malicious attacks,” said Mark Curphey, consulting director, McAfee’s Foundstone Professional Services. “By arming individuals with best practices in secure software development, they can create web environments that defend against the latest security threats.”
Foundstone Professional Services, a division of McAfee, Inc. offers a unique combination of software, services, and education to help organizations continuously and measurably protect the most important assets from the most critical threats. Through a strategic approach to security, Foundstone identifies, recommends, and implements the right balance of technology, people, and process to manage digital risk and leverage security investments more effectively. Foundstone Professional Services offers security courses that teach secure web service development including effectively and efficiently securing ASP.NET authentication. More information can be found at: www.foundstone.com/writesecurecode.