Howdy, Stranger!
Categories
- All Categories
- 73 General
- 73 Announcements
- 66.6K Microsoft Dynamics NAV
- 18.7K NAV Three Tier
- 38.4K NAV/Navision Classic Client
- 3.6K Navision Attain
- 2.4K Navision Financials
- 115 Navision DOS
- 854 Navision e-Commerce
- 1K NAV Tips & Tricks
- 772 NAV Dutch speaking only
- 615 NAV Courses, Exams & Certification
- 2K Microsoft Dynamics-Other
- 1.5K Dynamics AX
- 300 Dynamics CRM
- 109 Dynamics GP
- 10 Dynamics SL
- 1.5K Other
- 993 SQL General
- 384 SQL Performance
- 34 SQL Tips & Tricks
- 34 Design Patterns (General & Best Practices)
- Architectural Patterns
- 10 Design Patterns
- 5 Implementation Patterns
- 53 3rd Party Products, Services & Events
- 1.7K General
- 1.1K General Chat
- 1.6K Website
- 79 Testing
- 1.2K Download section
- 23 How Tos section
- 259 Feedback
- 12 NAV TechDays 2013 Sessions
- 13 NAV TechDays 2012 Sessions
Concerns about the Security Level of the NAV Service Credential Typ "AccessControlService"
Ben_Dyson
Member Posts: 18
Hi All
After a previous post helped me to resolve an issue:
https://forum.mibuso.com/discussion/68152/how-to-clear-single-sign-on-credentials
I was reminded by a colleague of a security issue with the WebClient. We've seen that if you start a session with one user, you can copy the cookies etc from their IE temp files and drop them into your own temp files and carry on as the other user without re-authenticating.
We raised this with Microsoft and they didn't accept this as an issue, as users shouldn't be able access these files from another user.... OK, it's a valid point but it doesn't stop it being a security flaw.
So on realising that when using AccessControlService shared credentials, I'm concerned that I could copy the IE temp files and put them on my machine, then NAV would just load as the other user without prompting me for any credentials.
So before I have to make a local system just to test this, I was hoping that someone had already confirmed this? Also if it is an issue, I'm sure you'd all like to know.
Regards
Ben
After a previous post helped me to resolve an issue:
https://forum.mibuso.com/discussion/68152/how-to-clear-single-sign-on-credentials
I was reminded by a colleague of a security issue with the WebClient. We've seen that if you start a session with one user, you can copy the cookies etc from their IE temp files and drop them into your own temp files and carry on as the other user without re-authenticating.
We raised this with Microsoft and they didn't accept this as an issue, as users shouldn't be able access these files from another user.... OK, it's a valid point but it doesn't stop it being a security flaw.
So on realising that when using AccessControlService shared credentials, I'm concerned that I could copy the IE temp files and put them on my machine, then NAV would just load as the other user without prompting me for any credentials.
So before I have to make a local system just to test this, I was hoping that someone had already confirmed this? Also if it is an issue, I'm sure you'd all like to know.
Regards
Ben
0
Best Answer
-
ama
Member Posts: 15
Rather than re-stating a hammered to death question and answer:
https://stackoverflow.com/questions/17030081/how-do-i-prevent-session-hijacking-by-simply-copy-a-cookie-from-machine-to-anoth
"
It doesn't make sense to "protect" against this. If this kind of copying happens, then either:
The end user did it on purpose because they wanted to change computers. This is, of course, not something you should care about or be concerned about.
An attacker has already compromised the user's browser and gotten access to the cookies stored inside. By definition this cookie is a secret that proves that the identity of the HTTP client. If the attacker already has access to it, they can already use it in any number of ways of their choosing that you won't be able to prevent or distinguish from the real user accessing the server legitimately.
"5
Answers
https://stackoverflow.com/questions/17030081/how-do-i-prevent-session-hijacking-by-simply-copy-a-cookie-from-machine-to-anoth
"
It doesn't make sense to "protect" against this. If this kind of copying happens, then either:
The end user did it on purpose because they wanted to change computers. This is, of course, not something you should care about or be concerned about.
An attacker has already compromised the user's browser and gotten access to the cookies stored inside. By definition this cookie is a secret that proves that the identity of the HTTP client. If the attacker already has access to it, they can already use it in any number of ways of their choosing that you won't be able to prevent or distinguish from the real user accessing the server legitimately.
"