...

View Full Version : Security Breach using history.



elcaro2k
07-12-2004, 04:59 PM
I need some advice in the area of security. I am a new developer for a website that has been up for 4 years with no security problems. We use session variables that are timed out after 5 minutes and session abondon when the user loges out.

The problem is that last tuesday an user loged in and viewed his medical claims and then apparently walked away from the PC. The next day he went back through history and was able to view another customers claims. The other customers name wasn't in the header, but is was actually claims.

Does anyone have an idea where I should start to look for the problem.

Thanks,
Ray

raf
07-12-2004, 08:29 PM
First off: there is no bulletproof way to prevent clientside caching, since not all browsers honor caching-instructions in your header.
It's clear that you should do your work to prevent clientside caching (by sending a pragma header for instance) but security is not only a matter of the developper, but also of the user.

In the specific case you describe, it was probably a shared computer that cached the pages. I wouldn't know what you can do against that, except telling your clients that they create a securityrisk by using shared computers and caching the pages.

info on preventing caching (or attempting to prevent it) http://www.15seconds.com/issue/970920.htm

elcaro2k
07-12-2004, 08:35 PM
Thanks raf.

I was able to recreate the issue. The claims.asp page is inside a frame, but, when you view claims, the claims.asp full url is recorded into history. It looks like this:
http://www.company.name/memberservice/claims/claims.asp?Prodcde=1&Member=10

When I click on that url in history, it brings a different members claims back. This brings 2 new questions to me. 1, how is the url that is inside a frame being recorded in history and 2, how can I prevent that from happenning?

raf
07-12-2004, 08:57 PM
I was able to recreate the issue. The claims.asp page is inside a frame, but, when you view claims, the claims.asp full url is recorded into history. It looks like this:
http://www.company.name/memberservice/claims/claims.asp?Prodcde=1&Member=10

When I click on that url in history, it brings a different members claims back. This brings 2 new questions to me. 1, how is the url that is inside a frame being recorded in history and 2, how can I prevent that from happenning?
If that is true (which i find verry hard to believe) then you must have an error in your application.
If they hit the item in the history, then it should either get the page from the cache (so then it is a page that was requested earlier by 'member 10') or request if from your server, but then your applications should return the page for 'member 10'. Well, in this second case, the user should be redirected to the loginscreen, because you should check at the top of each page if the user is currently logged in.

But if memeber10 browses through his history, it should never happen that he would get a page from 'member 11' by hitting a link from his history.
Only possible exception : if both user 10 and 11 use the same machine and if the pages are cached clientsided, or if you don't perform a logincheck on the top of each page.
If the first situation is the case, then there is no bulletproof method to prevent this (see above) but you should non the less do what is possible (sending te right headers + letting the pges expire immedeately).

The second situation is perfectly controlable, by checking on each page if the client is logged in. It's virtualy impossible that two people are on a shared computer at the same time, so if they use the exitlink, then their history allone doesn't create a securityrisk.


About preventing that a page is included in the history: you can clean out a clients history, but i find that unacceptable behaviour. The clientside cache, history and the clients browsersettings are his own responsabilitys.

By the way, passing the memberID through the querystring, now that is a real securityrisk. Everyone can just manipulate the querystring and request other memebers pages. You should store the member-value in a sessionvalue and grab it from there.

elcaro2k
07-12-2004, 09:06 PM
Actually member=10 just refers to which family member it is. The actually subscriber id is in a session var. Husband = 10, wife = 20, dependent 1 = 30 etc. That is why this is so confusing. This is not a shared pc and the data that is shown when nobody is loged in is a mystery. I am going to do the immediate expire and the pragama header and check at the top of each page to ensure that the user is logged in. I think this will do it for now.

Thanks,
ray

elcaro2k
07-12-2004, 09:47 PM
What is the proper method to use to see if a user is logged in?

Roy Sinclair
07-12-2004, 10:09 PM
What is the proper method to use to see if a user is logged in?



if Len(Request.ServerVariables("LOGON_USER")) < 1 then
... no user is logged on
end if

elcaro2k
07-12-2004, 10:28 PM
Didn't work? I did a
Response.Write "val="&Request.ServerVariables("LOGON_USER")
and it is empty or null when I know I am signed in? Is this something that I have to set after login?

oracleguy
07-13-2004, 12:02 AM
If you are dealing with information that is pretty personal to someone, you probably should be using SSL for their benefit; this will also usually mean the browser won't cache the pages at all, if I remember correctly.

raf
07-13-2004, 12:26 AM
What is the proper method to use to see if a user is logged in?
after processing the login, set a sessionvariable.
Then on top of each page, you check if that sessionvariable is set. (store the check in a seperate file and include it in each page. More elaborate explanation
http://www.codingforums.com/showthread.php?s=&threadid=18372&highlight=login

Oracleguy
If you are dealing with information that is pretty personal to someone, you probably should be using SSL for their benefit; this will also usually mean the browser won't cache the pages at all, if I remember correctly.
Not sure about that. But i would expect that SSL woul cache an encoded version of the page, and since the encoding-key is sessionspecific, it wouldn't be decodable after the session is closed. But i never realy looked into that. (I just think it wouldn't make sense to cache an un-encoded version of the page.)

Roy Sinclair
07-13-2004, 07:29 PM
Didn't work? I did a
Response.Write "val="&Request.ServerVariables("LOGON_USER")
and it is empty or null when I know I am signed in? Is this something that I have to set after login?

That would be a network logon, if your users are logging on using a custom system then how you'd tell would be dependant on that custom system.

elcaro2k
07-13-2004, 07:34 PM
Thanks everyone. I seem to have my problem solved by setting a session var at login and logout and testing the value on each page. I also added
Response.Expires = -1500
on each page as well.

I do have one question remaining. How does server side caching come into play re; these security issues?



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum