Five New Optimizely Certifications are Here! Validate your expertise and advance your career with our latest certification exams. Click here to find out more

AI OnAI Off

Security Vulnerability: Stop logging raw session tokens

Vote:
 

Currently, active bearer tokens are exposed at the "INFO" log level by the IdentityAuthorizationServerProvider class, ie;

_log.Information($"Authentication Request: {GetRequestInfo(context)}");

This allows any malicious user with read-access to logs to assume the identity of any currently active user, including administrative users.

To prevent session hijacking raw session tokens should not be exposed (ref OWASP: http://owasp-aasvs.readthedocs.io/en/latest/requirement-3.6.html)

If session based troubleshooting\diagnostics is required, a common approach is to one-way hash (eg MD5) the session token before recording it.

#192464
May 17, 2018 10:49
Quan Mai
Quan Mai
Vote:
 

This I can agree with - at least partly - The level of logging should have been DEBUG. The reason was it can be later used for debugging and diagnosis. I will file a bug for it. Thanks.

#192470
May 17, 2018 11:44
This thread is locked and should be used for reference only.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.