Summary #

Netsparker detected that the cookieless authentication is enabled inside of the ASP.NET application.

Impact #

When an ASP.NET application is configured to use cookieless authentication, it stores the authentication token in the page URLs rather than a cookie. This makes it easier for an attacker to perform session hijacking.

Actions To Take #

Cookieless Forms Authentication is enabled within the machine.config file or the web.config file of your application by setting the new cookieless attribute. To disable cookieless authentication, set cookieless attribute to “UseCookies”.

<configuration>

  <system.web>

    <authentication mode="Forms">

      <forms name=".ASPXAUTH"

             loginUrl="login.aspx"

             protection="All"

             timeout="30"

             path="/"

             requireSSL="false"

             slidingExpiration="true"

             defaultUrl="default.aspx"

             cookieless="UseCookies" />

    </authentication>

  </system.web>

</configuration>
Classifications #
CWE-16; OWASP 2013-A5; OWASP 2017-A6
Vulnerability Index

Vulnerability Index

You can search and find all vulnerabilities

OR

Search Vulnerability

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo