Broken authentication problem in asp.net aaplication

Posted by Anant under ASP.NET on 6/24/2014 | Points: 10 | Views : 386 | Status : [Member] | Replies : 2
In my asp.net application i am using form authentication,after logging as a normal partner ,browse to/Admin using an HTTP proxy,the server attempts to redirect the user to the login page but the contents of /admin are still returned in HTTP response body.

when performing the authentication checks ,the application should ensure that no data is returned if the user is not admin.




Responses

Posted by: Vuyiswamb on: 6/26/2014 [Member] [MVP] [Administrator] NotApplicable | Points: 25

Up
0
Down
what is your problem ?

Thank you for posting at Dotnetfunda
[Administrator]

Anant, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Anant on: 6/26/2014 [Member] Starter | Points: 25

Up
0
Down
hi, i am using form authentication ,but i am facing problem of broken authentication after doing several secure setting in web.config as we know there are several factors that raise this vulnerability ,my main problem is after using partner login credentail browse to/Admin using an HTTP proxy,the server attempts to redirect the user to the login page but the contents of /admin are still returned in HTTP response body.

It is possible for an authenticated partner user to gain access to the Admin portal and all associated functionality due to a design flaw in the authorization model which results in non-admin users being sent the content of admin pages.


After logging in as a normal partner, browse to /Admin using an HTTP proxy, you will see that although the server attempts to redirect the user to the Login page, the contents of /Admin are still returned in the HTTP response body.


When performing the authorization checks, the application should ensure that no data is returned if the user is not an admin.

Anant, if this helps please login to Mark As Answer. | Alert Moderator

Login to post response