Summary #

Netsparker detected that the ASP.NET has failed to require SSL for the authentication cookies.

Impact #

When an ASP.NET application is failing to require SSL for the authentication cookies, then the cookie could potentially be stolen by an attacker who can successfully intercept the traffic, following a successful man-in-the-middle attack.

Actions To Take #

You can require the forms authentication cookie from your Web-based applications to use SSL by setting the requireSSL attribute of the forms element to true.

Vulnerable configuration:

<configuration>

<system.web>

<authentication mode="Forms">

<forms requireSSL="false">

Secure configuration:

<configuration>

<system.web>

<authentication mode="Forms">

<forms requireSSL="true">
Classifications #
CWE-16; OWASP 2017-A6
Vulnerability Index

Vulnerability Index

You can search and find all vulnerabilities

OR

Search Vulnerability

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo