Feature Description
in certain configurations it is possible to decrypt, modify, and then re-encrypt cookies issued by .net applications. this can lead to issues involving session tampering and, in some cases, escalate to remote code execution via deserialization.
Problem
chariot currently does minimal analysis against cookies presented by web applications during scanning. such issues, while rare and somewhat difficult to identify, often have high impact. by introducing this capability, chariot's ability to identify material risks will be enhanced.
Preferred Solution
several public tools exist to detect this issue.
blacklist3r looks for the .net machineKey exposures specifically. it requires data from a cookie as input and attempts to decrypt it using a list of known bad keys.
badsecrets looks for .net issues as well as a longer list of other similar issues in other applications.
both tools would likely require some sort of crawler-esque pre-requisites in order to establish sessions with sites before extracting session information for analysis.
Feature Description in certain configurations it is possible to decrypt, modify, and then re-encrypt cookies issued by .net applications. this can lead to issues involving session tampering and, in some cases, escalate to remote code execution via deserialization.
Problem chariot currently does minimal analysis against cookies presented by web applications during scanning. such issues, while rare and somewhat difficult to identify, often have high impact. by introducing this capability, chariot's ability to identify material risks will be enhanced.
Preferred Solution several public tools exist to detect this issue. blacklist3r looks for the .net machineKey exposures specifically. it requires data from a cookie as input and attempts to decrypt it using a list of known bad keys. badsecrets looks for .net issues as well as a longer list of other similar issues in other applications.
both tools would likely require some sort of crawler-esque pre-requisites in order to establish sessions with sites before extracting session information for analysis.