Closed janssen-bart closed 3 years ago
@janssen-bart
Logout functionality is only available in the application when using OpenID Connect or WS-Federation authentication.
'Logging out' with integrated windows auth isn't implemented, because it's managed between by the browser, rather than the app. There are no session cookies to clear, as the user identity is coupled to the browser session established by the client. Even if there was a session cookie to clear on our side, as soon as you refresh a page, the browser would automatically re-authenticate the user.
We really don't recommend using IWA in production scenarios. The whole point of AMS is to help prevent lateral movement across your organization. IWA is the primary cause of lateral movement. MFA protected OIDC and smart-card based auth are where we are investing our efforts.
Happy to discuss further if you have anything else to add.
Background The sessions used in this web app are reused, and there is no logout button although a logout function is implemented in the backend. This means that if a user signs in on a device to administer the web application he or she has no easy way to leave his session. This allows someone to hijacking the session by using the same machine. On top of that we noted that a logout functionality is implemented in the backend but that it does not kill the session which allows an attacker to force a user to sign with a session id already known by the attacker.
Remediation Make sure the session expires client-side and server-side when a user signs out or when a user is inactive for a reasonable amount of time and that a new session is generated when a user signs in. More information on secure session management can be found here: https://www.owasp.org/index.php/Session_Management_Cheat_Sheet
Evidence There was no logout functionality in the application, so it was not possible to log out. This allows someone to hijacking the session by using the same machine.
Authentication used/tested:
Integrated windows authentication Negotiate.
Extra, ;-) Negotiate not working in FireFox