2nd in an occasional series:
Here's the first one
Is CAT.NET correct that the following is a genuine vulnerability in ASP.NET or is it a false positive?
var myInt = Int32.Parse(txtUserInput.Text);
Response.Redirect(string.Format("myPage.aspx?myId={0}", myInt);
CAT.NET is reporting this as a redirect vulnerability needing remediation via encoding myInt.
Why does the recent ASP.NET security vurnerability specify an html error page to redirect to pre ASP.NET 3.5 SP1 but an aspx page for later versions?
View 1 RepliesI have a browser-like software application that logs in to my asp.net site through the login control. Depending on the user info used, the application gets redirected to a text file in the server. The content of the file is then displayed in the application.
The files are created using vb.net streamwriter createtext.
I can get the content of the file correctly the first time the application logs in to the website, but the the 2nd and succeeding attemps results in garbage data (different encoding maybe?). I didn't get this problem when I was hositng the asp.net site locally using (IIS 5.1) - the site is currently hosted using II 6 remotely. what could be wrong? Could it be because I don't log-out of the site?
I have written a web mailer that can send and receive emails and display them on a webpage.I have a problem displaying special characters though. Like Russian, and Greek and chinese.I am using openpop.net and I can get the encoding of the incoming email as one of my variables.Thing is, how do I display it? Do I set the content encoding of the whole page to what that specific email encoding is?I've got it UTF-8 at the moment and I get garbage.
View 3 RepliesIm pulling out a text field from the database which has and 's in it for line breaks. Which I have left there for pupose of being able to edit the fields later on.
So when i try to display the text I need to replace them which I have done with:
[Code]....
Simple enough. Only when I run the page the source code I get for it is:
<br />
So it seems its not encoding the < as a encode but into the form <
Does anyone know how to stop this happen. Or a method around it?
I'm in an interesting situation; I need to pass the IContainer to the IControllerActivator component that I'm defining, yet the IControllerActivator needs to be registered inside of the container. This is because the IControllerActivator will use the container to build the controllers.
I stored the container as a static reference from within the global.asax file; this way, any dependant object (like my activator) on the container can reference it. Since the activator uses the container, and needs to be registered in an autofac module, is there a way to define that this specific mapping needs a reference to the container, or can I register this after the container is built?
I've been dynamically asigning master pages using code for a number of years as part of a skinning engine. Today however,I'm needing to do a 'simple' ASP.Net site that just uses the out of the box basics.I'm hitting a hurdle though and can't figure why.
[code]...
Now - I want to add an <asp:placeholder> control inside the child page's <Content1> tags - however,the designer's intellisense doesn't show them. If I delete the MasterPageFile tag from the top of the child's page, then all of a sudden it works.Why can't I add a placeholder inside a child form?
I understand how to use jQuery to make an AJAX call to a WebMethod from a normal page, but I'm running into problems doing it from a UserControl (ASCX). Right now the biggest Issue I'm having is that the JavaScript for getting access to the groupDropDown control is not working. It seems that since this is a UserControl hosted within DotNetNuke, the ususal method of getting the CLientID is not working since it is nested down x number of levels. Here is what I have:
Javascript:
function validateEnrolledDate(src, args) {
var isValid;
[code]....
I'm now just referencing a TextBox:<asp:TextBox ID="dealerId" runat="server" CssClass="theDealer" />
The Text in the Textbox is being set in Server Side code, and it is visible on screen.The alert message is "undefined", so something is still happening so that it is not getting the value of that textbox...
In Scott Guthries blog on the ASP.NET Security vulnerability noted here he says that for ASP.NET 3.5 SP1+ the following attribute should be set in the custom errors section
redirectMode="ResponseRewrite"
What is the significance of this in relation to the vulnerability and why only 3.5 SP1 and above?
I've just read on the net about a newly discovered security vulnerability in ASP.NET. You can read the details here. The problem lies in the way that ASP.NET implements the AES encryption algorithm to protect the integrity of the cookies these applications generate to store information during user sessions.This is a bit vague, but here is a more frightening part: The first stage of the attack takes a few thousand requests, but once it succeeds and the attacker gets the secret keys, it's totally stealthy.The cryptographic knowledge required is very basic.
All in all, I'm not familiar enough with the security/cryptograpy subject to know if this is really that serious.So, should all ASP.NET developers fear this technique that can own any ASP.NET website in seconds or what?How does this issue affect the average ASP.NET developer? Does it affect us at all?
In real life, what are the consequences of this vulnerability? And, finally: is there some workaround that prevents this vulnerability?EDIT: I'd like to summarize the responses I got so far.So, this is basically a "padding oracle" type of attack. @Sri provided a great explanation about what does this type of attack mean. Here is a shocking video about the issue!About the seriousness of this vulnerability: Yes, it is indeed serious. It lets the attacker to get to know the machine key of an application. Thus, he can do some very unwanted things.
In posession of the app's machine key, the attacker can decrypt authentication cookies.
Even worse than that, he can generate authentication cookies with the name of any user. Thus, he can appear as anyone on the site. The application is unable to differentiate between you or the hacker who generated an authentication cookie with your name for himself.It also lets him to decrypt (and also generate) session cookies, although this is not as dangerous as the previous one.Not so serious: He can decrypt the encrypted ViewState of pages. (If you use ViewState to store confidental data, you shouldn't do this anyways!)Quite unexpected: With the knowledge of the machine key, the attacker can download any arbitrary file from your web application, even those that normally can't be downloaded! (Including Web.Config, etc.)
Here is a bunch of good practices I got that don't solve the issue but help improve the general security of a web application.You can encrypt sensitive data with Protected Configuration Use HTTP Only cookies Prevent DoS attacksNow, let's focus on this issue.Scott Guthrie published an entry about it on his blogScottGu's FAQ blog post about the vulnerabilityScottGu's update on the vulnerabilityMicrosoft has a security advisory about itUnderstanding the vulnerabilityAdditional information about the vulnerabilityhe solutionEnable customErrors and make a single error page to which all errors are redirected. Yes, even 404s.
ScottGu said that differentiating between 404s and 500s are essential for this attack.) Also, into your Application_Error or Error.aspx put some code that makes a random delay. (Generate a random number, and use Thread.Sleep to sleep for that long.) This will make it impossible for the attacker to decide what exactly happened on your server.Some people recommended switching back to 3DES. In theory, if you don't use AES, you don't encounter the security weakness in the AES implementation. As it turns out, this is not recommended at all.Some other
This question is somewhat of a follow up to How serious is this new ASP.NET security vulnerability and how can I workaround it? So if my question seems to be broken read over this question and its accepted solution first and then take that into the context of my question.Can someone explain why returning the same error page and same status code for custom errors matters? I find this to be immaterial especially if this is advocated as part of the work around to it.Isn't it just as easy for the script/application to execute this attack and not specifically care whether or not it gets a http status code and more on the outcome? Ie doing this 4000 times you get redirected to an error page where on 4001 you stay on the same page because it didn't invalidate the padding?
I see why adding the delay to the error page is somewhat relevant but doesn't this also just add another layer to fool the script into thinking the site is an invalid target?What could be done to prevent this if the script takes into account that since the site is asp.net it's running the AES encryption that it ignores the timing of error pages and watches the redirection or lack of redirection as the response vector? If a script does this will that mean there's NO WAY to stop it?Edit: I accept the timing attack reduction but the error page part is what really seems bogus. This attack vector puts their data into viewstate. There's only 2 cases. Pass. Fail.
Either Fail, they're on a page and the viewstate does not contain their data. No matter what you do here there is no way to remove the fail case because the page just will never contain their inserted data unless they successfully cracked the key. This is why I can't justify the custom errors usage having ANY EFFECT AT ALL.Or Pass, they're on a page and the viewstate contains their inserted data.Summary of this vulnerability
The cipher key from the WebResoure.axd / ScriptResource.axd is taken and the first guess of the validation key is used to generate a value of potential key with the ciphered text.This value is passed to the WebResource.axd / ScriptResource.axd at this point if the decryption key was guessed correctly their response will be accepted but since the data is garbage that it's looking for the WebResource.axd / ScriptResource.axd will return a 404 error.If the decryption key was not successfully guessed it will get a 500 error for the padding invalid exception. At this point the attack application knows to increment the potential decryption key value and try again repeating until it finds the first successful 404 from the WebResource.axd / ScriptResource.axd
We recently discovered that our web app was vulnerable to cross site scripting (XSS) attacks. We managed to manipulate our inputs to produce the following HTML:
[Code]....
Which executes an alert window when clicked.
After HTMLEncoding using the AntiXSS the web app successfully encodes the output to look like this:
<a href="javascript:__doPostBack('ctl00$ContentPlaceHolder1$CtlSearchList1$CtlListView1$DataGrid1$ctl03$ctl00','')">'); onclick=alert('This
is an XSS vulernability. An attacker could do anything here (redirect to another website, virus etc)');('.txt</a>
but the alert window still fires! What am I doing wrong?
Just reading about this ASP.NET security vurnerability. Just wondering if this could be used to attack a WCF service hosted under IIS to get to its web.config or if its a pure ASP.NET vurnerability
View 3 RepliesSince installing the security patch for the ASP.NET Oracle Padding vunerability any user that was keeping themselves logged in to our site is getting error messages when hitting any page.
The errors logged on the server are
System.Web.UI.ViewStateException: Invalid viewstate.
Client IP: xxx.xxx.xxx.xxx
Port: 55796
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0
ViewState: l4nsXEvWcOwlDpmdbxw916bpHoPiqdBP7Syb+zCQAv44xv/r3oLtETKTL28/Gts6
Referer: Path: /product/4795/fender-usa-deluxe-stratocaster-mn-olympic-white-pearl
With custom errors switched off a user sees the following information
Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Web.HttpException: Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace: [ViewStateException: Invalid viewstate.
Client IP: xxx.xxx.xxx.xxx
Port: 3588
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.5; .NET CLR 2.0.50727; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
ViewState: s0toPCu7bxkB7a3G+KTxawY3ILf1qunZyIqNBKg8xSoqY2BkWIUCJAHKFKo2RnJw
Referer:
Path: /]
[HttpException (0x80004005): Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.]
System.Web.UI.ViewStateException.ThrowError(Exception inner, String persistedState, String errorPageMessage, Boolean macValidationError) +118
System.Web.UI.ViewStateException.ThrowMacValidationError(Exception inner, String persistedState) +13
System.Web.UI.ObjectStateFormatter.Deserialize(String inputString) +238
System.Web.UI.ObjectStateFormatter.System.Web.UI.IStateFormatter.Deserialize(String serializedState) +5
System.Web.Mvc.AntiForgeryDataSerializer.Deserialize(String serializedToken) +90
to delete all cookies and log back in, but obviously an average user, won't know to do this and I'm worried they will just think our site is broken.
Considering the recent ASP.NET vulnerability, what should I look for in my httphandlers that would cause such a Padding Oracle vulnerability?
Asked in another way... what did MSFT do wrong and what did they fix in their handlers?
I have question is it possible to install Report Manager (IIS Service) on different server than Reporting Services is installed? I would like have IIS service (Report Manager) on one server and Reporting Services mechanism on the second one. Do you think this solution is possible?
View 2 Replieswhich one is better response.redirect or postbackurl(asp:button feture) to redirect web page?
View 3 RepliesI want to redirect to "~/City/Göteborg", but if I just write Response.Redirect("~/City/Göteborg"); I will end up with an ugly URL in the address-bar like this: http://www.mysite.com/City/G%c3%b6teborg..
So my question is how to redirect to obtain a clean url like http://www.mysite.com/City/Göteborg?
What's better in ASP.NET MVC
<%= Html.LabelForModel() %>
or
<%: Html.LabelForModel() %>
I have a url that I would like to put into my web.config file. http://google.com?parcel&bob&&smithI imagine that the .net run time is upset with the ampersand's so i encoded them to be&.http://google.com?rcel&bob&&smithThis also doesn't work. Any ideas would be great, if you could supply a link to the documentation of why this is that would be even better.
View 3 RepliesI have a problem with Response.Redirect to specific error page.
so far i have something like :
protected void Page_Load(object sender, EventArgs e)
{
if ((Request.QueryString["UbytovaniePrispevokID"].ToString()) == "")[code]......
What i want to do is.. I have one main page with new posts Each subject of the new post is the link to Another page where is Specific post and coments and user can leave a coment.
What I want is when the Request.QueryString["UbytovaniePrispevokID"].ToString()) == "" or null I want to redirect to error page ...
Can someone lead me to understanding when to set the encoding for the email step when sending new member emails. For instance what is the default or how can I tell what it is or if I want to set it in the SendMail event in code. See the thing I am wondering is when is it applied? If I set the MailDefinition-From in the html part then in code using the SendMail event set the encoding using
e.Message.From = new
MailAddress("foo@bar.com","foo",System.Text.Encoding.UTF8);
then I assume that it must actually get applied when the email is sent. Is that correct?
I'm developing a small ASP.NET Mvc project in Mono 2.4, Ubuntu 10.10. There is an array of objects, each one of them corresponds to a certain xml file. Reading of the xmls is performed with XmlTextReader. That does not work because xml files have rare "cp866nav" encoding, which is not supported by XmlTextReader ("System.ArgumentException: Encoding name 'cp866nav' not supported"). But it works fine if encoding in xml header is changed to "cp866". I found a kind of solution which consists in initializing XmlTextReader with a StreamReader with a certain encoding instead of file name, like in the code below:
XmlTextReader reader = new XmlTextReader(new StreamReader(Server.MapPath(filename), Encoding.GetEncoding("cp866")));
The issue is that the directory which contains xml files is read only (I can not change it), so I get "System.UnauthorizedAccessException: Access to the path '' is denied.". Rather strange, because XmlTextReader initialized with a filename seems to read the files. Is there any solution, considering that program cannot modify or create files?
I have a problem in my asp.net 3.5 application (C#) when I try to render in my pages characters like 'è' which are shown in a very strange manner (if i'm lucky i get a ? mark in my web page). in fact Expression Web, when i open my web site, substitutes the è char with �...How can I tell asp.net that I want to use a particular charset so that i can write in the html source letters like è without using hexadecimal codes??????I tried in the web.config this:inside the system.web namespace of the file but nothing works...
View 1 Replies