How to avoid Viewing Cookie ASP.NET _SessionId value in burpsuite

Question

0.00/5 (No votes)

See more:

I want to avoid viewing Cookie ASP.NET _SessionId value . Our Tester team is changing the value with another user and doing Man in middle attack in Burp Suite.
Any sokution for this.I am using Asp.net Web form application.Also I used Authentication token logic but that token is also visible and able to change in Burp Suite.

Posted 1-Aug-14 2:29am

vishal_h

Updated 1-Aug-14 2:32am

v2

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

AlexCode · Answer 1 · 2014-08-01T03:00:00

Solution 1

So they're changing the session id to another one that they got by successfully authenticating with another user... so what's the issue?

If they have valid username and passwords for both users, changing the session id doesn't mean that they hacked anything.

Why do you say this is a man in the middle attack?
What can they actually do that they weren't supposed to? (knowing that they have valid username and password for both users)

Posted 1-Aug-14 3:00am

AlexCode

Comments

vishal_h 5-Aug-14 4:59am

Considered there are tow role NormalUSer and Admin and if hacker is NormalUSer and trying to access the site using admin session then its a issue.

AlexCode 5-Aug-14 5:20am

But how did he get the valid Admin session token?
Either he:
- also has the Admin username/pass
- he gained access to the Admin machine
- you're not using https and he found a way to attatch himself to your server router and sniff your requests inspecting the header and so forth

The first 2 you can't do anything about it...
The 3rd I think you might have bigger problems if someone can actually do this easily in your organization.

vishal_h 8-Aug-14 4:12am

Tester have tool where they are monitoring request to the server and getting session value

AlexCode 8-Aug-14 4:33am

That's why I spoke about HTTPS. Under HTTPS they won't be able to get the request header because it's encrypted and like this they won't be able to get the session cookie.