ASP.NET: Failure To Require SSL For Authentication Cookies
Summary#
Invicti detected that the ASP.NET has failed to require SSL for the authentication cookies.
Impact#
When an ASP.NET application is failing to require SSL for the authentication cookies, then the cookie could potentially be stolen by an attacker who can successfully intercept the traffic, following a successful man-in-the-middle attack.
Actions To Take#
You can require the forms authentication cookie from your Web-based applications to use SSL by setting the requireSSL attribute of the forms element to true.
Vulnerable configuration:
<configuration>
<system.web>
<authentication mode="Forms">
<forms requireSSL="false">
Secure configuration:
<configuration>
<system.web>
<authentication mode="Forms">
<forms requireSSL="true">
Classifications#
Vulnerability Index
You can search and find all vulnerabilities
Select Category
OR
Search Vulnerability
Related Vulnerabilities
