Windows Identity Foundation (WIF) Security for ASP.NET Web Applications – Threats & Countermeasures

Article
12/01/2010

Windows Identity Foundation (WIF) is a security feature that offers broad functionality. Federated authentication, claims based authorization, token transformation to name a few. But only because WIF is a security feature does not make it secure and safe by default. To improve and strengthen WIF’s security it is useful to understand the threats associated with it and map the countermeasures that mitigates the threats. This is the list of Threats and Countermeasures for claims aware ASP.NET Web Applications distilled from existing WIF documentation. If you have more to add – feel free to submit in comments below.

Threats/Attack/Vulnerability	Countermeasures
Replay attack	Turn Reply Detection On by setting DetectReplayedTokens to true. It is set to false by default. Configure SSL for communications. Refer to requireHttps and requireSsl in WIF configuration Fine tune expire time of the STS token. Depends on your STS (Custom, ADFS 2.0, ACS) Fine time STS token cache. Refer to sessionTokenRequirement in WIF config
Token issued by STS that is not trusted	WIF verifies issuers signature. Refer to issuerNameRegistry in WIF config
Token is not intended for the application	WIF verifies token is intended for the application. Refer to audienceUris in WIF config.
Sensitive information exposed in wcts (including logs)	Provide adequate to your needs protection (signature/encryption) for this parameter.
User Can Be Signed Out of RP by Malicious Web Site	For STS - have the STS ignore the WS-Federation SignOut/SignOutCleanup message. Serve the user a page that gives the user the option to sign out. For RP – take appropriate action during OnSigningOut event.
wreply redirects to arbitrary URL	Make sure that wreply value is trusted

Windows Identity Foundation (WIF) Security for ASP.NET Web Applications – Threats & Countermeasures

Related Books

Related Info

Additional resources