How Serious Is This New Security Vulnerability And How To Workaround It

Sep 15, 2010

I've just read on the net about a newly discovered security vulnerability in ASP.NET. You can read the details here. The problem lies in the way that ASP.NET implements the AES encryption algorithm to protect the integrity of the cookies these applications generate to store information during user sessions.This is a bit vague, but here is a more frightening part: The first stage of the attack takes a few thousand requests, but once it succeeds and the attacker gets the secret keys, it's totally stealthy.The cryptographic knowledge required is very basic.

All in all, I'm not familiar enough with the security/cryptograpy subject to know if this is really that serious.So, should all ASP.NET developers fear this technique that can own any ASP.NET website in seconds or what?How does this issue affect the average ASP.NET developer? Does it affect us at all?
In real life, what are the consequences of this vulnerability? And, finally: is there some workaround that prevents this vulnerability?EDIT: I'd like to summarize the responses I got so far.So, this is basically a "padding oracle" type of attack. @Sri provided a great explanation about what does this type of attack mean. Here is a shocking video about the issue!About the seriousness of this vulnerability: Yes, it is indeed serious. It lets the attacker to get to know the machine key of an application. Thus, he can do some very unwanted things.

In posession of the app's machine key, the attacker can decrypt authentication cookies.
Even worse than that, he can generate authentication cookies with the name of any user. Thus, he can appear as anyone on the site. The application is unable to differentiate between you or the hacker who generated an authentication cookie with your name for himself.It also lets him to decrypt (and also generate) session cookies, although this is not as dangerous as the previous one.Not so serious: He can decrypt the encrypted ViewState of pages. (If you use ViewState to store confidental data, you shouldn't do this anyways!)Quite unexpected: With the knowledge of the machine key, the attacker can download any arbitrary file from your web application, even those that normally can't be downloaded! (Including Web.Config, etc.)

Here is a bunch of good practices I got that don't solve the issue but help improve the general security of a web application.You can encrypt sensitive data with Protected Configuration Use HTTP Only cookies Prevent DoS attacksNow, let's focus on this issue.Scott Guthrie published an entry about it on his blogScottGu's FAQ blog post about the vulnerabilityScottGu's update on the vulnerabilityMicrosoft has a security advisory about itUnderstanding the vulnerabilityAdditional information about the vulnerabilityhe solutionEnable customErrors and make a single error page to which all errors are redirected. Yes, even 404s.

ScottGu said that differentiating between 404s and 500s are essential for this attack.) Also, into your Application_Error or Error.aspx put some code that makes a random delay. (Generate a random number, and use Thread.Sleep to sleep for that long.) This will make it impossible for the attacker to decide what exactly happened on your server.Some people recommended switching back to 3DES. In theory, if you don't use AES, you don't encounter the security weakness in the AES implementation. As it turns out, this is not recommended at all.Some other

View 12 Replies

Similar Messages:

RedirectMode In Security Vulnerability?

Sep 20, 2010

In Scott Guthries blog on the ASP.NET Security vulnerability noted here he says that for ASP.NET 3.5 SP1+ the following attribute should be set in the custom errors section


What is the significance of this in relation to the vulnerability and why only 3.5 SP1 and above?

View 2 Replies

Security - Is The Cryptographic Vulnerability Work Around A BIG LIE

Sep 23, 2010

This question is somewhat of a follow up to How serious is this new ASP.NET security vulnerability and how can I workaround it? So if my question seems to be broken read over this question and its accepted solution first and then take that into the context of my question.Can someone explain why returning the same error page and same status code for custom errors matters? I find this to be immaterial especially if this is advocated as part of the work around to it.Isn't it just as easy for the script/application to execute this attack and not specifically care whether or not it gets a http status code and more on the outcome? Ie doing this 4000 times you get redirected to an error page where on 4001 you stay on the same page because it didn't invalidate the padding?

I see why adding the delay to the error page is somewhat relevant but doesn't this also just add another layer to fool the script into thinking the site is an invalid target?What could be done to prevent this if the script takes into account that since the site is it's running the AES encryption that it ignores the timing of error pages and watches the redirection or lack of redirection as the response vector? If a script does this will that mean there's NO WAY to stop it?Edit: I accept the timing attack reduction but the error page part is what really seems bogus. This attack vector puts their data into viewstate. There's only 2 cases. Pass. Fail.

Either Fail, they're on a page and the viewstate does not contain their data. No matter what you do here there is no way to remove the fail case because the page just will never contain their inserted data unless they successfully cracked the key. This is why I can't justify the custom errors usage having ANY EFFECT AT ALL.Or Pass, they're on a page and the viewstate contains their inserted data.Summary of this vulnerability

The cipher key from the WebResoure.axd / ScriptResource.axd is taken and the first guess of the validation key is used to generate a value of potential key with the ciphered text.This value is passed to the WebResource.axd / ScriptResource.axd at this point if the decryption key was guessed correctly their response will be accepted but since the data is garbage that it's looking for the WebResource.axd / ScriptResource.axd will return a 404 error.If the decryption key was not successfully guessed it will get a 500 error for the padding invalid exception. At this point the attack application knows to increment the potential decryption key value and try again repeating until it finds the first successful 404 from the WebResource.axd / ScriptResource.axd

View 4 Replies

Wcf - Security Vulnerability (Cryptographic Oracles) And Web Services?

Sep 20, 2010

Just reading about this ASP.NET security vurnerability. Just wondering if this could be used to attack a WCF service hosted under IIS to get to its web.config or if its a pure ASP.NET vurnerability

View 3 Replies

Security Vulnerability (Cryptographic Oracles) - Why Html Redirect For Pre 3.5 SP1

Sep 21, 2010

Why does the recent ASP.NET security vurnerability specify an html error page to redirect to pre ASP.NET 3.5 SP1 but an aspx page for later versions?

View 1 Replies

Invalid Viewstate Since Oracle Padding Vulnerability Security Patch

Sep 29, 2010

Since installing the security patch for the ASP.NET Oracle Padding vunerability any user that was keeping themselves logged in to our site is getting error messages when hitting any page.

The errors logged on the server are

System.Web.UI.ViewStateException: Invalid viewstate.
Client IP:
Port: 55796
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0
ViewState: l4nsXEvWcOwlDpmdbxw916bpHoPiqdBP7Syb+zCQAv44xv/r3oLtETKTL28/Gts6
Referer: Path: /product/4795/fender-usa-deluxe-stratocaster-mn-olympic-white-pearl

With custom errors switched off a user sees the following information

Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Web.HttpException: Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace: [ViewStateException: Invalid viewstate.
Client IP:
Port: 3588
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.5; .NET CLR 2.0.50727; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
ViewState: s0toPCu7bxkB7a3G+KTxawY3ILf1qunZyIqNBKg8xSoqY2BkWIUCJAHKFKo2RnJw
Path: /]

[HttpException (0x80004005): Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.]

System.Web.UI.ViewStateException.ThrowError(Exception inner, String persistedState, String errorPageMessage, Boolean macValidationError) +118
System.Web.UI.ViewStateException.ThrowMacValidationError(Exception inner, String persistedState) +13
System.Web.UI.ObjectStateFormatter.Deserialize(String inputString) +238
System.Web.UI.ObjectStateFormatter.System.Web.UI.IStateFormatter.Deserialize(String serializedState) +5
System.Web.Mvc.AntiForgeryDataSerializer.Deserialize(String serializedToken) +90

to delete all cookies and log back in, but obviously an average user, won't know to do this and I'm worried they will just think our site is broken.

View 3 Replies

Workaround For Entity Framework Context.Refresh Bug?

Jan 7, 2011

I ran into this problem using EF4 and a self-referential table (implementing an adjacency list hierarchy). NOTE: not a many-to-many reference, just a one-to-many on a single table. Attempts to resolve an intermittent InvalidOperationException ("...The ObjectContext might be in an inconsistent state...") using Context.Refresh fail due to an apparent bug in EF4. I saw, from following Shimmy's link, on the aforementioned post, that the bug is still outstanding. Can anyone recommend a workaround? What do you do if your database and Entity Framework get out of sync?

When I get the InvalidOperationException and the message says "The changes to the database were committed successfully...", it is not true. They weren't. I tried to change an object's ParentId from 1 to null (ParentId of type int?). My object's ParentId attribute is correctly changed to the expected value (null). I call Context.SaveChanges(). Then, the exception is thrown. I check the DB, and the value has not been updated. In this case, ParentId is still 1 in the database...................

View 1 Replies

Workaround Non-themeable Properties (specifically Asp:Button OnClientClick)?

Mar 12, 2010

Retrofitting ASP.NET WebForms themes to an old application I have a need to theme an <input> tag such that the JavaScript click event is different for each theme. I replaced with tag with an asp:Button, only to disciver that the OnClientClick property is not themeable.

View 1 Replies

DataSource Controls :: Calling Long Running SQL Procedure From UI - Workaround?

Jun 16, 2010

I have a site that calls a long running stored procedure that eventually times out the UI. The procedure simply runs some logic in the database, and kicks of a secondary process. No data is ever returned to the UI, so I don't need the UI to wait for anything.Is there a way to call the stored procedure from the UI and move on without having the UI having to wait for the store procedure to complete?

View 4 Replies

Forms Data Controls :: ObjectDataSource And DateTime - Set This Property To Null Without Workaround?

Mar 20, 2010

I use FormView with ObjectDataSource and class. I have a TextBox binded to a DateTime? property. When TextBox.Text property is empty i want to set the property of my class to null but the value is 1.1.1 00:00:00. My Workaround:


Is there a way to set this property to null without this workaround? Is this a bug in DataSource or is this a feature by design?

View 1 Replies

Cross Site Scripting Vulnerability?

Mar 25, 2010

We recently discovered that our web app was vulnerable to cross site scripting (XSS) attacks. We managed to manipulate our inputs to produce the following HTML:


Which executes an alert window when clicked.

After HTMLEncoding using the AntiXSS the web app successfully encodes the output to look like this:
<a href="javascript:__doPostBack('ctl00$ContentPlaceHolder1$CtlSearchList1$CtlListView1$DataGrid1$ctl03$ctl00','')">'); onclick=alert('This
is an XSS vulernability. An attacker could do anything here (redirect to another website, virus etc)');('.txt</a>

but the alert window still fires! What am I doing wrong?

View 3 Replies

CAT.NET Is Reporting This As A Redirect Vulnerability Needing Remediation Via Encoding MyInt

Jan 5, 2011

2nd in an occasional series:

Here's the first one

Is CAT.NET correct that the following is a genuine vulnerability in ASP.NET or is it a false positive?

var myInt = Int32.Parse(txtUserInput.Text);

Response.Redirect(string.Format("myPage.aspx?myId={0}", myInt);

CAT.NET is reporting this as a redirect vulnerability needing remediation via encoding myInt.

View 3 Replies

Creating Custom Httphandler In Web.config: Am I At Risk Of Exposing A 'Padding Oracle' Vulnerability?

Oct 29, 2010

Considering the recent ASP.NET vulnerability, what should I look for in my httphandlers that would cause such a Padding Oracle vulnerability?

Asked in another way... what did MSFT do wrong and what did they fix in their handlers?

View 2 Replies

C# - Workaround For HttpContext.HideRequestResponse Being Internal? Detect If HttpContext.Request Is Really Available?

Apr 9, 2010

We're migrating an application to use IIS7 integrated mode. In library code that is designed to work either within the context of an HTTP request or not, we commonly have code like this:

if (HttpContext.Current != null &&
HttpContext.Current.Request != null) {
// do something with HttpContext.Current.Request
} else {
// do equivalent thing without HttpContext..

But in IIS7 integrated mode the check for HttpContext.Current.Request throws an exception whenever this code is called from Application_Start.

protected void Application_Start(object sender, EventArgs e)

Results in:

System.Web.HttpException: Request is not available in this context

How can I detect whether the request is really available without wrapping these calls in an exception handler and taking action based on whether an exception is generated or not.

Looking at HttpContext in Reflector I see it has an internal bool HideRequestResponse field but it's internal so I can only get to it with reflection and that's fragile. Is there a more official/approved way to determine if it's ok to call HttpContext.Request?

This blog post about the subject says not to use HttpContext, but how, in generic library code, can you determine if it's ok to use HttpContext?

I'm using the work-around mentioned there which is to use Application_BeginRequest and an initialized field to only initialize once as part of BeginRequest, but that has to be done in every calling application whereas I'd prefer to make the library code more robust and handle this situation regardless of where it's called from.

View 4 Replies

Security :: Webservice Security And Windows Authentication - Invoke SSIS Packages From Web Service

Dec 15, 2010

I have to invoke SSIS packages from web service in the most secure way. I think that windows authentication will be secure but i am not sure. I do not have much knowledge about how to achieve this and the information on the internet is very distributed.

View 1 Replies

Security :: Windows Authentication - Get Role Security In Web Config File To Coincide With Controls

Apr 6, 2010

We use Sharepoint to control our websites. We build the sites, then load them into the sharepoint server. My question is if I use windows authentication, how can I get my role security in my web config file to coencide with the controls that use the Forms authentication. Is there a differenence? Our security uses a session variable for security but there is no where to set up their permissions except in active directory. I hope this makes sense because I would like to implement the LoginView with Role groups but how can I give them the role="administrator"? Do I have to go into active directory and give them these permissions(would take awhile due to the size of the company)? Or do I have to set up priveladges in the web.config file for each user(difficult I think)?

View 5 Replies

Security :: 4 Security Via Windows Authentication - Restrict Access To Safe / UCantSeeMe.aspx

Aug 18, 2010

I'm writing a simple Intranet application using windows authentication. I want to restrict access to Safe/UCantSeeMe.aspx. I am aware of the AuthorizeAttribute, but this only works on methods. I also found a good post on doing this with the MVC pattern, but I'm not using MVC. This can be done with roles in forms based security. I read on MSDN that using windows based security means roles are based on groups, but it doesn't go into any detail. how can I restrict access to Safe/UCantSeeMe.aspx?

View 1 Replies

Security :: Getting Error Incase Of Incorrect Security Answer In Password Recovery Process

Jul 12, 2010

I am getting an error incase user submits incorect security question's answer. I gave text in 'QuestionFailureText'. But its not working.

Below is the error getting.
Security Exception Description:The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

Exception Details: System.Security.SecurityException: The source was not found, but some or all event logs could not be searched. Inaccessible logs: Security.

Source Error:


Source File: c:WindowsMicrosoft.NETFramework64v2.0.50727Temporary ASP.NET Filespng.webe16ed3ec284df543App_Web_rvfjstqa.5.cs Line: 0 Stack Trace:


View 3 Replies

Security :: Running Application Under The Security Context Of The Logged In User (LDAP Authentication)

Mar 17, 2011

We are using membership provider for LDAP authentication. It is working as it should.

But what all configuration settings I have to do so that
all the future requests to this application run under the security context of the Logged in user account not through the some default user set in IIS.

We need to have this working because all the permissions on the database are based on the logged in user.

We are using form authentication for LDAP authentication. And having impersonation = true in web.config.

View 1 Replies

Security :: Custom Access Denied Page For Role Based Security?

Oct 27, 2010

I have implemented role based security in my 2.0 application using windows authentication and the windowstokenroleprovider and limiting access to certain pages using the location tag to specific active directory groups.

The issue is that when a user tries to access a page they are not authorized to view it brings up a login prompt and when it does not pass it takes them to the default page that tells them they are not authorized to view the page. I am wondering if there is a way to throw up a custom page that tells them they are not athorized to view the page that I can incorporate into the site itself with the header and so forth? if this page could come up in lieu of the sign in box popping up as well.

View 2 Replies

To Implement Code Access Security, And URL Based Security Using The Roles & Types?

Apr 24, 2010

[ASP.NET 3.5, FormsAuthentication, SQL Server]

In the Roles table there is Role, and RoleType.

I have 3different roles, 2 of which have sub-roles.




I need to implement Code Access Security, and URL based security using the roles & types...

For instance, the (Subscriber/Basic) would need to view a different set of pages, and have different access to things then a (Subscriber/Business).

I think I can handle the Code Access security with a custom attribute, but I am unsure to how enforce a User be apart of 2 roles in the URL Authorization.

I am currently using the web.config to deny/allow access to the directories/pages.




Is it possible to force the user to be apart of 2 roles with this technique?

View 1 Replies

Security :: Used Security In Login Page Which Restricts All Users Who Have Not Logged In To All Pages?

Jun 23, 2010

i used security in login page which restricts all users who have not logged in to all pages. I need to restrict specific users to specific pages. I'm not using AspSqlService provider. So i cannot create roles and restrict automatically. And the pictures i use in login page are not visible @ runtime.

View 1 Replies

Security :: Membership As A Security/administration Model For Upload/download Of Documents?

Sep 9, 2010

I'm working on a website where it should be possible for registered users to upload word documents. The administration of users is done through Membership and Profiles. When the documents have been uploaded, the following needs to be achieved:Non-registered users should not be allowed to download documents I should be able to control which users that has access to which documents I should be able to register which user downloads which documents I should be able to track how many times a document has been downloaded
Can this be achieved be using Membership and Profiles?

View 1 Replies

Security :: Identity Impersonate + Integrated Security(DB) And Programatically Impersonating The User?

Nov 19, 2010

I have identity impersonate = true in the Web.config file. I have integrated security = true in the DB connection string in the Web.config file.Before identity impersonate was true,users were able to access the DB through the web service account (seemingly).Now I get an error which says " Login failed for ... " because I am aware there is no specific account for that user in the permissions for that DB instance.I needed to set identity impersonate = true because the web service does not have access to the Active Directory,which I need to retrieve certain user information.

My question is,does identity impersonate = true override the integrated security and attempt to user the authenticated user's account to connect to the DB? Is there a simple way to prevent this in the Web.config itself?If not,would programatically impersonating the user within the Active Directory query functions and setting identity impersonate = false do the trick here?

View 2 Replies

Security :: Getting Error / Request For The Permission Of Type 'System.Security.Permissions.FileIOPermission, Mscorlib

Jun 3, 2010

I am using Itext sharp to create a pdf. I am adding an image and I keep getting this error

Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, ersion=, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

it is this bit of code that is causing this


If i comment this out, the PDF builds and no errors are thrown (there is just no image)

I don't understand cause I am am trying to do is read a file.

View 2 Replies

Copyrights 2005-15, All rights reserved