Security - Is The Cryptographic Vulnerability Work Around A BIG LIE
Sep 23, 2010
This question is somewhat of a follow up to How serious is this new ASP.NET security vulnerability and how can I workaround it? So if my question seems to be broken read over this question and its accepted solution first and then take that into the context of my question.Can someone explain why returning the same error page and same status code for custom errors matters? I find this to be immaterial especially if this is advocated as part of the work around to it.Isn't it just as easy for the script/application to execute this attack and not specifically care whether or not it gets a http status code and more on the outcome? Ie doing this 4000 times you get redirected to an error page where on 4001 you stay on the same page because it didn't invalidate the padding?
I see why adding the delay to the error page is somewhat relevant but doesn't this also just add another layer to fool the script into thinking the site is an invalid target?What could be done to prevent this if the script takes into account that since the site is asp.net it's running the AES encryption that it ignores the timing of error pages and watches the redirection or lack of redirection as the response vector? If a script does this will that mean there's NO WAY to stop it?Edit: I accept the timing attack reduction but the error page part is what really seems bogus. This attack vector puts their data into viewstate. There's only 2 cases. Pass. Fail.
Either Fail, they're on a page and the viewstate does not contain their data. No matter what you do here there is no way to remove the fail case because the page just will never contain their inserted data unless they successfully cracked the key. This is why I can't justify the custom errors usage having ANY EFFECT AT ALL.Or Pass, they're on a page and the viewstate contains their inserted data.Summary of this vulnerability
The cipher key from the WebResoure.axd / ScriptResource.axd is taken and the first guess of the validation key is used to generate a value of potential key with the ciphered text.This value is passed to the WebResource.axd / ScriptResource.axd at this point if the decryption key was guessed correctly their response will be accepted but since the data is garbage that it's looking for the WebResource.axd / ScriptResource.axd will return a 404 error.If the decryption key was not successfully guessed it will get a 500 error for the padding invalid exception. At this point the attack application knows to increment the potential decryption key value and try again repeating until it finds the first successful 404 from the WebResource.axd / ScriptResource.axd
Just reading about this ASP.NET security vurnerability. Just wondering if this could be used to attack a WCF service hosted under IIS to get to its web.config or if its a pure ASP.NET vurnerability
i am trying to create a strong name for assembly.....by giving the below code----
assembly: AssemblyDelaySign(false)] assembly: AssemblyKeyFile(@"UsersABCDocumentsVisual Studio 2008ProjectscodeaccesssecuritycodeaccesssecurityinDebugABC.snk")] assembly: AssemblyKeyName("")]
when i am compiling project i am getting this error........
Error 1 Cryptographic failure while signing assembly 'C:UsersABCDocumentsVisual Studio 2008ProjectscodeaccesssecuritycodeaccesssecurityobjReleasecodeaccesssecurity.exe' -- 'Error reading key file 'UsersABCDocumentsVisual Studio 2008ProjectscodeaccesssecuritycodeaccesssecurityinDebugABC.snk' -- The system cannot find the path specified. '
In Scott Guthries blog on the ASP.NET Security vulnerability noted here he says that for ASP.NET 3.5 SP1+ the following attribute should be set in the custom errors section
redirectMode="ResponseRewrite"
What is the significance of this in relation to the vulnerability and why only 3.5 SP1 and above?
I've just read on the net about a newly discovered security vulnerability in ASP.NET. You can read the details here. The problem lies in the way that ASP.NET implements the AES encryption algorithm to protect the integrity of the cookies these applications generate to store information during user sessions.This is a bit vague, but here is a more frightening part: The first stage of the attack takes a few thousand requests, but once it succeeds and the attacker gets the secret keys, it's totally stealthy.The cryptographic knowledge required is very basic.
All in all, I'm not familiar enough with the security/cryptograpy subject to know if this is really that serious.So, should all ASP.NET developers fear this technique that can own any ASP.NET website in seconds or what?How does this issue affect the average ASP.NET developer? Does it affect us at all? In real life, what are the consequences of this vulnerability? And, finally: is there some workaround that prevents this vulnerability?EDIT: I'd like to summarize the responses I got so far.So, this is basically a "padding oracle" type of attack. @Sri provided a great explanation about what does this type of attack mean. Here is a shocking video about the issue!About the seriousness of this vulnerability: Yes, it is indeed serious. It lets the attacker to get to know the machine key of an application. Thus, he can do some very unwanted things.
In posession of the app's machine key, the attacker can decrypt authentication cookies. Even worse than that, he can generate authentication cookies with the name of any user. Thus, he can appear as anyone on the site. The application is unable to differentiate between you or the hacker who generated an authentication cookie with your name for himself.It also lets him to decrypt (and also generate) session cookies, although this is not as dangerous as the previous one.Not so serious: He can decrypt the encrypted ViewState of pages. (If you use ViewState to store confidental data, you shouldn't do this anyways!)Quite unexpected: With the knowledge of the machine key, the attacker can download any arbitrary file from your web application, even those that normally can't be downloaded! (Including Web.Config, etc.)
Here is a bunch of good practices I got that don't solve the issue but help improve the general security of a web application.You can encrypt sensitive data with Protected Configuration Use HTTP Only cookies Prevent DoS attacksNow, let's focus on this issue.Scott Guthrie published an entry about it on his blogScottGu's FAQ blog post about the vulnerabilityScottGu's update on the vulnerabilityMicrosoft has a security advisory about itUnderstanding the vulnerabilityAdditional information about the vulnerabilityhe solutionEnable customErrors and make a single error page to which all errors are redirected. Yes, even 404s.
ScottGu said that differentiating between 404s and 500s are essential for this attack.) Also, into your Application_Error or Error.aspx put some code that makes a random delay. (Generate a random number, and use Thread.Sleep to sleep for that long.) This will make it impossible for the attacker to decide what exactly happened on your server.Some people recommended switching back to 3DES. In theory, if you don't use AES, you don't encounter the security weakness in the AES implementation. As it turns out, this is not recommended at all.Some other
Since installing the security patch for the ASP.NET Oracle Padding vunerability any user that was keeping themselves logged in to our site is getting error messages when hitting any page.
With custom errors switched off a user sees the following information
Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Web.HttpException: Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
[HttpException (0x80004005): Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.]
We have developed a small method that pulls a cryptographic key from a signed xml document and then checks the signature using the SignedXml.CheckSignature method.
When run from a command line app the key validates properly. However as soon as I call it from a web app it stops working. Anybody know what could be happening?:
// Verify the signature of an XML file against an asymmetric // algorithm and return the result.XmlDocument Doc, RSA Key public static Boolean VerifyLicenceFile(string xmlLicFilePathArg) { bool isVerified = false;....
We recently discovered that our web app was vulnerable to cross site scripting (XSS) attacks. We managed to manipulate our inputs to produce the following HTML:
[Code]....
Which executes an alert window when clicked.
After HTMLEncoding using the AntiXSS the web app successfully encodes the output to look like this: <a href="javascript:__doPostBack('ctl00$ContentPlaceHolder1$CtlSearchList1$CtlListView1$DataGrid1$ctl03$ctl00','')">'); onclick=alert('This is an XSS vulernability. An attacker could do anything here (redirect to another website, virus etc)');('.txt</a>
but the alert window still fires! What am I doing wrong?
Our asp.net 2.0 app encountered the following error:
This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.After adding the following in web.config -> <system.web> section:
i am having trouble running my application on iis when i enable rolemanagement. It works fine in the visual studio development server.
Is there anything i need to configure in iis to make that work?
This is the error page:
Server Error in '/testapp' Application.
Object reference not set to an instance of an object. Description: An unhandled exception occurred during the execution of the current web request. review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.NullReferenceException: Object reference not set to an instance of an object.
Source Error:
[Code]....
Stack Trace:
[Code]....
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1
i use visual studio 2010, SQL express 2008 on win server 2008
after running the wizard of security (created single user, set permissions like deny anonymous and allow the created user) and pressing F5 --> the site works just fine.
when i move the folder to IIS 7 and "convert to application" the login page appears but it wont accept the password i provided.
i was told that only Stackoverflow geniuses will answer this question.
i am using .Net 4, manged pipleine mode --> inegrated
IIS settings:
Anonymous Auth. --> Enabled Forms Auth. --> Enabled ASP.Net Impersonation, Basic Auth, Digest Auth, Windows Auth--> Disabled
These rules all point to being able to create directories within the virtual directory/application folder. In fact I am certain this has worked in the past, but recently has stopped working.
Note that this is not an NTFS permissions issue, files can be written,read and deleted in the virtual directory, only CreateDirectory is restricted somehow.
So what is going on, has a recent security update changed this functionality so that Medium Trust no longer has the ability to create directories?
I have the following code. I simply want to select the security question and answer from the DB and do something if the result is true.
This is my code:-
[Code]....
This code always returns the result of "Invalid User Credentials", so this means it does not recognize the values from the DB. When i put something in that SHOULD match i still get the same. I dont get an error message but the logic here is to select security question and answer where the question is equal to the dropdown box and the answer is equal to the textbox. If there is a match then do something..
But this does not work..
You can see what i mean here:-
[URL]
If you select "What street did you grow up in?" from the dropdown and then put in "deeplish" in the security answer, the result should be "**EXISTS".
I need to retrieve the user data from the different web application. In the web.config I can specifydifferent profiles, but I cannot figure out how can I use it in the application. This is what I did:
We have two different users and we want to authenticate them through "IIS Client Certificate Mapping Authentication" in IIS 7. They have certificates issued by VeriSign.When user requests a website, a pop-up appears on their browser to select a certificate. User can see both certificates and selects one of them and hit ok.We could capture Certificate attributes using
until now every thig is fine.We mapped one of two certificates to an AD user using this "Configuring One-to-One Client Certificate Mappings".http://learn.iis.net/page.aspx/478/configuring-one-to-one-client-certificate-mappings/I am trying to print if user is authenticated or not using following code. and it is never authenticated. I don't know what mapping does. It seems it does nothing.Response.Write (Request.ServerVariables["LOGON_USER"]) ; Response.Write ("<BR>") ; Response.Write ("AUTH_USER: ") ;; Response.Write(Request.ServerVariables["AUTH_USER"]); Response.Write ("<BR>") ; Response.Write("IsAuthenticated :" + User.Identity.IsAuthenticated + "<br>"); Response.Write("HttpContext.Current.User.Identity :" + HttpContext.Current.User.Identity.IsAuthenticated + "<br>"); Response.Write("Request.IsAuthenticated :" + Request.IsAuthenticated + "<br>");
Can somebody help so that I can allow user only if he supplies a certificate that is mapped to a user. Currently any user having a certificate can get into the site, site is having anonymous authentication and certificate is required.
i'm working in my first integral website ,and i'm using the ASP.NET Login Controls but now i need to know how i can work with the user who loggedin ,i wanna visable his Data only not the all users data ,like for example the site is contain medical data for every user and when one user is logged in it will implement query to visual his Examination only.
I have a problem. I can't get current logged user to my application. Everything is fine on localhost. When I deployed an application
on IIS, it stopped working. I have Windows Authentication Enabled on my IIS. For every account which uses intranet, logged user is the same now, and it's an administration account.
Why application doesn't get real logged user, but administrator account ?
I have an ASP.Net 4.0 application that is using Forms Authentication and ActiveDirectoryMembershipProvider. It authenticates against Active Directory running on Windows Server 2008 R2.I use ChangePassword control for changing passwords.When the user changes the password he can log on for some time with the old password. My client feels this is a security problem with the application. Is there any way to make sure the old password does not work after the user changes it?Also, if I do iisreset on the web server, the old password stops working. The password must be cached somewhere in the web app.
I need to pass the credential of the logged in user to the DB, which is on a different server, is it that Impersation can only work if the DB is on the same machine as the web server? How can I flow the credential to the the server?
In my web.config I have configured a SiteMapProvider with securityTrimmingEnabled="true" and on my main master page is an asp:Menu control bound to an asp:SiteMapDataSource. In addition I have configured restricted access to all pages in a subfolder "Admin" (using another web.config in this subfolder).
... it seems that security trimming does not work: The menu item is visible for all users. (Access to the page is still restricted though, so selecting the menu item by non-Admin users does not navigate to the restricted page.)
Question: Is there any setting I've missed so far to make security trimming working with URL routing in ASP.NET 4.0 Web Forms? Did I do something wrong? Is there any work-around?