Session Hijacking in ASP.NET

by Gerardgon Z
The article talks about how easy it is to find and exploit unsecured websites using ELMAH (Error Logging Modules and Handlers for ASP.NET). ELMAH is an error logging module for ASP.NET websites that makes it easy for web masters to view the errors their websites are giving. It is a very popular module for ASP.NET and used widely. The information it gives administrators is so informative that hackers can use the same module to exploit and hijack a website by looking at the same logs. Unsecured ELMAH logs can be used to hijack the entire website because it can provide authentication cookies and user types which the hacker can easily spoof and create their own authentication cookies. Unsecured ELMAH logs can also provide sqlstatements and passwords from the internal database making it a very big security breach. The article then talks about how to protect and secure ELMAH and some best practices to avoid this easily mitigated exploit.

This article is related to our class because it talks about ASP.NEt and user sessions which we did for our project # 3. This is an interesting article because it shows how easy it is to hijack and exploit asp.net websites by using a simple tool. It teaches web masters to make sure they properly secure their websites against simple exploits and practice better network security.

Session ID hacking and exploitation greatly interests me because of recent events happening with a game I’m currently playing (Diablo 3). A large amount of the player population is getting their accounts hacked and stolen. The user base is currently blaming session spoofing and session hijacking as the primary reason why their accounts are currently getting hacked. Even though the game company (Blizzard) denies any allegation of session hijacking, a large amount of the user base still believe this is the reason why they got their accounts hacked.

Hunt, T. (2012, January 09). Troy hunt’s blog. Retrieved from http://www.troyhunt.com/2012/01/aspnet-session-hijacking-with-google.html

 

 

 

2 thoughts on “Session Hijacking in ASP.NET

  • June 4, 2012 at 6:15 am
    Permalink

    It’s interesting that in competent hands, ASP.net can be robust and secure, but many people can botch it by having unsecured websites. With software like Visual Studio making it easier for people to create their own sites, I think the amount of unsecured website will exist. Along with unsecured websites, there will always be people to take advantage of that, unfortunately.

  • June 4, 2012 at 6:31 am
    Permalink

    Nice article, it’s pretty scary to knowing that error logging modules and handler logs can potentially allow hackers to compromise an entire site. It’s very interesting that this can be a double edge sword. On one hand working in favor of the administrator in tracing problems, one the other hand being able to assist intruders in gaining access to a servers private information.

Comments are closed.