问题
I'm trying to use .NET Remoting Client Activated Objects in order to keep client's authentication information during multiple calls instead of implementing a session management system which requires client sends session id in each call. As MSDN states:
When the client submits a request for a server object using "new" operator, an activation request message is sent to the remote application. The server then creates an instance of the requested class and returns an ObjRef back to the client application that invoked it.
My question is that isn't it possible for an anonymous client(attacker) to guess/brute force an ObjRef and gains access to an exising object on the server?
In web based session systems like ASP.NET/PHP, session id can be considered as a reference to session object in the server, but it is too long (32 bytes for example) so it is not possible to attack...but what about the ObjRef in remoting?
Update: I did some inspection in reference source; seems like that there is an URI string associated with each instance of ObjRef class.These URIs consist of an static(per process) GUID, eighteen random bytes (in base64 form) and a counter number:
// Identity.cs:
// We insert the tick count, so that the uri is not 100% predictable.
// (i.e. perhaps we should consider using a random number as well)
String random = System.Convert.ToBase64String(GetRandomBytes());
// Need to replace the '/' with '_' since '/' is not a valid uri char
ObjURI = (IDGuidString + random.Replace('/', '_') + "_" + GetNextSeqNum() + ".rem").ToLower(CultureInfo.InvariantCulture);
I guess at least eighteen random bytes as an Identifier for each ObjRef may be long enough to protect the object from brute force attack.
来源:https://stackoverflow.com/questions/25384003/brute-force-attack-to-net-remoting-cao