Thursday, May 7, 2015

Session Hijacking using Elmah in MVC


In today's blog post, we will be discussing how session can be hijacked using Elmah logs.

Elmah

Elmah stands for Error Logging Modules and Handlers. It's used to log all kinds of errors across the application. One can view all the unhandled exceptions in the application in production environment.
In order to add Elmah to the application, we just need to add Elmah.Mvc (since it's MVC application, we should use Elmah.Mvc) via the Nuget Package Manager.




Once it's added to the project, we can navigate to /Elmah and see all the error logs. If we navigate to the exception details, we can see all kinds of information about the exception like call stack, timestamp, logged in user, request URL, etc. Other than these, there is another very important piece of information that is available i.e. Cookies (esp. AspNet.ApplicationCookie).


Session Hijacking

Session Hijacking attack comprises of stealing the session token used to identify a particular session, generally to gain unauthorized access to the web server.
So I have an application where Employee records are maintained and some users have access to the edit functionality and some are allowed to only view the records but not edit them.

So when innocentuser@xyz.com logs in, he is able to edit the employee record. But when malicioususer@xyz.com tries to access the Edit page, he gets unauthorized error. Now if the malicious user is able to access Elmah records, he can look at the Auth cookie value and copy it and paste it in his browser.
In order to accomplish this attack, I installed this Google Chrome extension called "EditThisCookie". This extension allows me to edit the cookie values. So the malicious user can copy the value from Elmah log and put it in the AspNet.ApplicationCookie like this:


And that's it, now the malicious user has hijacked the innocentuser's session and is logged in as the innocent user. He can access the Employee edit page (or other privileged information which he was not allowed to access).


How to Prevent

Since the information exposed by Elmah logs is so sensitive, we need to take care of who can see all the logs. So proper configuration of Elmah is extremely important.
By default, the Elmah logs are not available to be accessed remotely. In order to allow them to be accessible we need to add this to our config file:

<elmah>

    <security allowRemoteAccess="yes"/>

</elmah> 

If we allow them to be remotely accessible, we need to configure who should have access to it. By setting requiresAuthentication to true, we make sure that the user has to be logged in in order to access the Elmah logs. We can also set specific roles or specific users who should have the access.

  <appSettings>

    <add key="elmah.mvc.disableHandler" value="false" />

    <add key="elmah.mvc.disableHandleErrorFilter" value="false" />

    <add key="elmah.mvc.requiresAuthentication" value="true" />

    <add key="elmah.mvc.IgnoreDefaultRoute" value="false" />

    <add key="elmah.mvc.allowedRoles" value="*" />

    <add key="elmah.mvc.allowedUsers" value="innocentuser@xyz.com" />

    <add key="elmah.mvc.route" value="elmah" />

    <add key="elmah.mvc.UserAuthCaseSensitive" value="true" />

  </appSettings>

So according to the application needs, Elmah should be accessible to specific roles or users.

Conclusion

So we saw how we can login into somebody's account just by looking at the Elmah logs. Therefore, proper configuration of Elmah is extermely important for the security of our web application.
For future updates to my weekly blog, please subscribe to my blog via the "Subscribe By Email" feature at the right and follow me on Twitter. Until then Happy Coding :)



No comments:

Post a Comment