ASP.NET: Failure To Require SSL For Authentication Cookies

Severity: Medium
Summary#

Invicti detected that the ASP.NET has failed to require SSL for the authentication cookies.

Impact#

When an ASP.NET application is failing to require SSL for the authentication cookies, then the cookie could potentially be stolen by an attacker who can successfully intercept the traffic, following a successful man-in-the-middle attack.

Actions To Take#

You can require the forms authentication cookie from your Web-based applications to use SSL by setting the requireSSL attribute of the forms element to true.

Vulnerable configuration:

<configuration>

<system.web>

<authentication mode="Forms">

<forms requireSSL="false">

Secure configuration:

<configuration>

<system.web>

<authentication mode="Forms">

<forms requireSSL="true">
Classifications#
Invicti

Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo