My site has been hacked using Statcounter! Does Statcounter save the cookie protocol?

Question

My site has been hacked using Statcounter! Does Statcounter save the cookie protocol?

I had a pretty interesting hack case on my ASP.Net MVC site. For this website, I implemented a fairly simple authentication system for my administration area - an encrypted cookie that had an identifying signature for the member. Whenever an administrator visits a website, the cookie will be decrypted and the signature verified. If a coincidence he will not need to enter.

A few days ago, a visitor to my site told me that he was able to enter my site simply by not clicking the referral link on his Statcounter console, which pointed to my administration area (I visited his site from the link inside my admin view).

He just clicked the link in statcounter and he was signed in as admin!

The only way this could happen is that statcounter somehow recorded my cookies and used them when he clicked on the link pointing to my admin!

Is this logical or understandable?

I do not understand what's going on. Do you have any suggestions on how I can protect my site from such things?

Update . I created an IP whitelist system to protect my administrator from unauthorized access. Basically, the server now compares the visitor’s IP address with the whitelist and allows access only if the ip address is in this list. It also supports wildcards, so this will be fine even for dynamic IP addresses.

, , .

+5

authentication .net cookies asp.net-mvc

Cyril Gupta 20 . '10 10:06

5

Omu · Answer 1 · 2010-03-20T10:46:00+0000

, , , , - :

var authTicket = new FormsAuthenticationTicket(
          1,
          userName,  //user id
          DateTime.Now,
          DateTime.Now.AddMinutes(20),  // expiry
          createPersistentCookie, 
          null,
          "/");

        var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(authTicket));

        HttpContext.Current.Response.Cookies.Add(cookie);

FormsAuthentication cookie machine.config

MartW · Answer 2 · 2010-03-20T10:32:16+0000

, StatCounter - , , cookie . , , , , . , - , , , - (.. ) . , StatCounter.

B7ackAnge7z · Answer 3 · 2010-03-20T10:37:52+0000

, XSS. , .

, ( ) cookie, :

$cookie = encoded($user-ip-address);

, :

if ( decoded($cookie) == $user-ip-address ){
    //succesefull login
}

KMån · Answer 4 · 2010-03-20T10:57:08+0000

cookie XSS. , .

EoghanM · Answer 5 · 2012-09-05T15:39:41+0000

, StatCounter cookie!

Cookies / , cookie StatCounter.

, , , cookie, .net- URL- .

---url StatCounter , .

: ASP.NET

My site has been hacked using Statcounter! Does Statcounter save the cookie protocol?

More articles: