Your Privacy Matters: We use our own and third-party cookies to improve your experience on our website. By continuing to use the website we understand that you accept their use. Cookie Policy
20
Infragistics web upload session key store in the URL issue
posted

We have a project based on ASP.NET webform with .NET version 4.8 where we have used Infragistics web 21.1.20211.2

We have User Interface where user can upload multiple files of different extension and we have a validation for each files.

While testing the file upload mechanism, it was discovered that Infragistics stores session data in the URL, as depicted in the image below.

User A is authenticated to the application with valid credentials. Now, let's consider a scenario where User B gains access to User A's machine and sees the URL containing the session information. In this situation, User B could potentially upload random files and access sensitive user information using the session key stored in the URL.

While testing with the Burp Suite tool, it was discovered that even after removing the cookies, the file upload process remained successful due to the session being present in the POST URL

 

Concern:

A random attacker can use session id/key present in the post URL and upload random files to access information. Could you please suggest on this?

  • 0
    Offline posted in reply to Riva Ivanova
  • 0
    Offline posted

    The issue described is a Session Fixation vulnerability where attackers exploit session IDs in URLs to upload malicious files and access sensitive information. To mitigate this in Ignite UI for ASP.NET Core, follow these steps:

    1. Avoid Exposing Session IDs in URLs: Use cookies for session management instead of passing session keys in URLs.
    2. Implement File Validation: Validate file types, sizes, and content on both client and server sides.
    3. Restrict Upload Permissions: Ensure proper user authentication and authorization for file uploads.
    4. Use CSRF Protection: Implement anti-CSRF tokens to prevent unauthorized actions.
    5. Regenerate Session IDs: Regenerate session keys upon user authentication to avoid fixation.
    6. Enable HTTPS: Encrypt session data in transit to prevent interception.

    Review application logs and monitor for suspicious activity to ensure system security.

  • 740
    Offline posted

    Hello Aman,

    Thank you for posting into our community!

    I have been looking into your question and the provided screenshot, and what I noticed is that the session data is added to the cid parameter. This parameter is set via the controlId option and while looking into the ui.igUpload control’s implementation, there does not seem to be a configuration that results in setting the session data to this option.

    Additionally, I have tested this behavior in our File Upload - ASP.NET MVC sample here, and when uploading a file, the request URL includes &cid=serverID1, which is set in the igUpload configuration:

    @(
            Html.Infragistics().Upload()
            .ID("igUpload1")
            .Mode(UploadMode.Single)
            .AutoStartUpload(true)
            .ProgressUrl(Url.Content("~/IGUploadStatusHandler.ashx"))
            .ControlId("serverID1")
            .Render()
    )

    I am not sure of the overall configuration of your application, however, having the abovementioned in mind, this leeds me to think that the ControlId property is set in a way that the session data is included in it.

    Could you please check if this is the case?

    In case it is not, in order to assist you further, it would be highly appreciated if you could provide me with a small sample that demonstrates the described behavior.

    Having a sample that I can debug on my side will be extremely helpful in further investigating this matter and providing you with a solution as soon as possible.

    Thank you for your cooperation. Looking forward to your reply.

    Sincerely,
    Riva Ivanova
    Software Developer