[RESOLVED] [2008] Hacking ASP.NET - For own site

[max_carpenter]

Good Afternoon, I think I better explain before I get shouted at,

My collegue (as described the yesterday) is creating a web application for employees only its doesn't need to be top secret but basic protection requires. Rather than making users log onto everything what he has done is added a link to our OWA website that opens up the other ASP.NET site with a varible and the other web application checks the varible and if it equals this show the site if not then push back to the OWA logon.

He has got it all up and running and asked me to check out to see how easy it is to get into. Now knowing the varible I did: http://site.domain/page.aspx?Varible=this

And I was straight in because i knew what the Varible was called and I knew what it had to contain but my question is, is there any way I can hack into the site not knowing the varible name and not knowing what it must contain, theres no other protection on this site so is there some whay I can trick it into revealing it or something?

Thanks,

[mendhak]

Yes, there could be several ways to bypass it. First, a bad guy could look at a user's history and notice this 'new' URL in there with the querystring. Also, this URL just 'lying around' (say in someone's favorites or a piece of paper) would make it a giveaway.

Another way would be if the bad guy gained file access to the machine with the files on it, looked at the code and realized that certain parameters are being awaited on a particular page. Of course at that point, any security would be moot.

[max_carpenter]

Hi Mendhak thanks for the reply,

I realise that any one with access to a machine that the website could look at history, favs etc etc but what I am after is any way go gaining access to it from a complete outsider who has no access to a machine that has been used etc etc.

As for the history the varible is done behind the scenes during normal operation and nothing is placed in the URL so when they hit the link we have done it places the varible behind the scenes on the server for the users session and the url just looks like normal however it can be also accessed by specifing the varible in the URL its just not how we normally do it.

There is nothing top secret behind this and anyone knowing what behind it wouldnt bother trying to gain access but our company wants it protected but users don't want to have to log in multiple times so this is the best way we could come up with it and people arn't going to be using it on non-company machines.

So by the sound of what you said and lack of any other comments it doesn't sound like there is a way then.


Thanks,
Max

[mendhak]

Yeah, sounds about right... an outsider doesn't have a way of knowing that the page exists or that it's expecting a certain querystring parameter unless it gets crawled by a search engine.

[max_carpenter]

Great, thanks for the help, and there wont be any chance of the search engine finding it because there is no public link to it out there.

:-)