I'm attacking WAP/ADFS 4.0 on premise.
I have a Kerberos IIS web server on the inside and it is published through WAP. The setup is correct: I can authenticate on the IIS server with my logon account. The IIS server is published with WAP pre-authentication and on WAP the option 'EnableSignOut'
is enabled for the published application. When I log off, the EdgeAccessCookie is cleanuped and I need to log on again when I enter the URL. When I use a Chrome browser I can use an add-on to steal the EdgeAccessCookie (called EditThisCookie) on the client
computer to replay it after that I did a logoff. On the WAP published application the PersistentAccessCookieExpirationTimeSec is set very low to 1 minute (60 seconds) to do the tests.
If I sign-out the web application in Chrome, the cookies are gone. When I put fast the copied EdgeAccessCookie back (before 60 seconds), then I can do a login again (and the application works until the cookie expires = max 60 seconds). I can do a login with
the re-used cookie because on the server side there's no invalidation of the session done. So, that's normal.
But, when I use Charles or Fiddler and I replay an action, I can always get to the IIS server even if the EdgeAccessCookie is long expired. I can see on the IIS logs that I'm authenticating with my account and getting to the data. So when using a Mitm tool
like Charles or Fiddler is used, the WAP server is not stopping me. I once used microsoft TMG and did the same test, but after sign-out from TMG I could not get further. Is this a bug in WAP/ADFS? I think so.
Regards.
