Session Hijacking in ASP.NET{2}

The article talks about how easy it is to find and exploit unsecured websites using ELMAH (Error Logging Modules and Handlers for ASP.NET). ELMAH is an error logging module for ASP.NET websites that makes it easy for web masters to view the errors their websites are giving. It is a very popular module for ASP.NET and used widely. The information it gives administrators is so informative that hackers can use the same module to exploit and hijack a website by looking at the same logs. Unsecured ELMAH logs can be used to hijack the entire website because it can provide authentication cookies and user types which the hacker can easily spoof and create their own authentication cookies. Unsecured ELMAH logs can also provide sqlstatements and passwords from the internal database making it a very big security breach. The article then talks about how to protect and secure ELMAH and some best practices to avoid this easily mitigated exploit.

This article is related to our class because it talks about ASP.NEt and user sessions which we did for our project # 3. This is an interesting article because it shows how easy it is to hijack and exploit websites by using a simple tool. It teaches web masters to make sure they properly secure their websites against simple exploits and practice better network security.

Session ID hacking and exploitation greatly interests me because of recent events happening with a game I’m currently playing (Diablo 3). A large amount of the player population is getting their accounts hacked and stolen. The user base is currently blaming session spoofing and session hijacking as the primary reason why their accounts are currently getting hacked. Even though the game company (Blizzard) denies any allegation of session hijacking, a large amount of the user base still believe this is the reason why they got their accounts hacked.

Hunt, T. (2012, January 09). Troy hunt’s blog. Retrieved from