Site feedback

BartHermans-3226 avatar image
0 Votes"
BartHermans-3226 suggested

Fiddler replay with ADFS / WAP security problem?

I have setup WAP/ADFS4.0 with a published IIS non-claims-based application with pre-authentication and kerberos. On WAP the Signout option is enabled for the application so a sign-out cleans up the EdgeAccessCookie and you need to log on again after a signout or closing the Chrome browser.
But if the EdgeAccessCookie is stolen before logout (with a Chome Extension like "EditThisCookie") , the hacker could re-use the cookie to sign-in. As long as the -PersistentAccessCookieExpirationTimeSec is valid on the WAP server for the published application, the cookie can be used to log on. (With a good claims-based application you can invalidate the session server-side, so the cookie replay can be avoided).
So far, so good.

My question is: when I use a Mitm like Fiddler or Charles (with HTTPS inspection), I can "repeat" the action long after the PersistentAccessCookieExpirationTimeSec specification is expired! Why is WAP taking in account the setting PersistentAccessCookieExpirationTimeSec with a browser and not with Fiddler or Charles?

I assume it is not a bug but I'm missing something...

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

No Solutions

Your Opinion Counts

Share your feedback, or help out by voting for other people's feedback.