Wcf - Security Vulnerability (Cryptographic Oracles) And Web Services?
Sep 20, 2010
Just reading about this ASP.NET security vurnerability. Just wondering if this could be used to attack a WCF service hosted under IIS to get to its web.config or if its a pure ASP.NET vurnerability
View 3 Replies
Similar Messages:
Sep 21, 2010
Why does the recent ASP.NET security vurnerability specify an html error page to redirect to pre ASP.NET 3.5 SP1 but an aspx page for later versions?
View 1 Replies
Sep 23, 2010
This question is somewhat of a follow up to How serious is this new ASP.NET security vulnerability and how can I workaround it? So if my question seems to be broken read over this question and its accepted solution first and then take that into the context of my question.Can someone explain why returning the same error page and same status code for custom errors matters? I find this to be immaterial especially if this is advocated as part of the work around to it.Isn't it just as easy for the script/application to execute this attack and not specifically care whether or not it gets a http status code and more on the outcome? Ie doing this 4000 times you get redirected to an error page where on 4001 you stay on the same page because it didn't invalidate the padding?
I see why adding the delay to the error page is somewhat relevant but doesn't this also just add another layer to fool the script into thinking the site is an invalid target?What could be done to prevent this if the script takes into account that since the site is asp.net it's running the AES encryption that it ignores the timing of error pages and watches the redirection or lack of redirection as the response vector? If a script does this will that mean there's NO WAY to stop it?Edit: I accept the timing attack reduction but the error page part is what really seems bogus. This attack vector puts their data into viewstate. There's only 2 cases. Pass. Fail.
Either Fail, they're on a page and the viewstate does not contain their data. No matter what you do here there is no way to remove the fail case because the page just will never contain their inserted data unless they successfully cracked the key. This is why I can't justify the custom errors usage having ANY EFFECT AT ALL.Or Pass, they're on a page and the viewstate contains their inserted data.Summary of this vulnerability
The cipher key from the WebResoure.axd / ScriptResource.axd is taken and the first guess of the validation key is used to generate a value of potential key with the ciphered text.This value is passed to the WebResource.axd / ScriptResource.axd at this point if the decryption key was guessed correctly their response will be accepted but since the data is garbage that it's looking for the WebResource.axd / ScriptResource.axd will return a 404 error.If the decryption key was not successfully guessed it will get a 500 error for the padding invalid exception. At this point the attack application knows to increment the potential decryption key value and try again repeating until it finds the first successful 404 from the WebResource.axd / ScriptResource.axd
View 4 Replies
Mar 11, 2010
i am trying to create a strong name for assembly.....by giving the below code----
assembly:
AssemblyDelaySign(false)]
assembly:
AssemblyKeyFile(@"UsersABCDocumentsVisual Studio 2008ProjectscodeaccesssecuritycodeaccesssecurityinDebugABC.snk")]
assembly:
AssemblyKeyName("")]
when i am compiling project i am getting this error........
Error 1 Cryptographic failure while signing assembly 'C:UsersABCDocumentsVisual Studio 2008ProjectscodeaccesssecuritycodeaccesssecurityobjReleasecodeaccesssecurity.exe' -- 'Error reading key file 'UsersABCDocumentsVisual Studio 2008ProjectscodeaccesssecuritycodeaccesssecurityinDebugABC.snk'
-- The system cannot find the path specified. '
View 1 Replies
Sep 20, 2010
In Scott Guthries blog on the ASP.NET Security vulnerability noted here he says that for ASP.NET 3.5 SP1+ the following attribute should be set in the custom errors section
redirectMode="ResponseRewrite"
What is the significance of this in relation to the vulnerability and why only 3.5 SP1 and above?
View 2 Replies
Sep 15, 2010
I've just read on the net about a newly discovered security vulnerability in ASP.NET. You can read the details here. The problem lies in the way that ASP.NET implements the AES encryption algorithm to protect the integrity of the cookies these applications generate to store information during user sessions.This is a bit vague, but here is a more frightening part: The first stage of the attack takes a few thousand requests, but once it succeeds and the attacker gets the secret keys, it's totally stealthy.The cryptographic knowledge required is very basic.
All in all, I'm not familiar enough with the security/cryptograpy subject to know if this is really that serious.So, should all ASP.NET developers fear this technique that can own any ASP.NET website in seconds or what?How does this issue affect the average ASP.NET developer? Does it affect us at all?
In real life, what are the consequences of this vulnerability? And, finally: is there some workaround that prevents this vulnerability?EDIT: I'd like to summarize the responses I got so far.So, this is basically a "padding oracle" type of attack. @Sri provided a great explanation about what does this type of attack mean. Here is a shocking video about the issue!About the seriousness of this vulnerability: Yes, it is indeed serious. It lets the attacker to get to know the machine key of an application. Thus, he can do some very unwanted things.
In posession of the app's machine key, the attacker can decrypt authentication cookies.
Even worse than that, he can generate authentication cookies with the name of any user. Thus, he can appear as anyone on the site. The application is unable to differentiate between you or the hacker who generated an authentication cookie with your name for himself.It also lets him to decrypt (and also generate) session cookies, although this is not as dangerous as the previous one.Not so serious: He can decrypt the encrypted ViewState of pages. (If you use ViewState to store confidental data, you shouldn't do this anyways!)Quite unexpected: With the knowledge of the machine key, the attacker can download any arbitrary file from your web application, even those that normally can't be downloaded! (Including Web.Config, etc.)
Here is a bunch of good practices I got that don't solve the issue but help improve the general security of a web application.You can encrypt sensitive data with Protected Configuration Use HTTP Only cookies Prevent DoS attacksNow, let's focus on this issue.Scott Guthrie published an entry about it on his blogScottGu's FAQ blog post about the vulnerabilityScottGu's update on the vulnerabilityMicrosoft has a security advisory about itUnderstanding the vulnerabilityAdditional information about the vulnerabilityhe solutionEnable customErrors and make a single error page to which all errors are redirected. Yes, even 404s.
ScottGu said that differentiating between 404s and 500s are essential for this attack.) Also, into your Application_Error or Error.aspx put some code that makes a random delay. (Generate a random number, and use Thread.Sleep to sleep for that long.) This will make it impossible for the attacker to decide what exactly happened on your server.Some people recommended switching back to 3DES. In theory, if you don't use AES, you don't encounter the security weakness in the AES implementation. As it turns out, this is not recommended at all.Some other
View 12 Replies
Sep 29, 2010
Since installing the security patch for the ASP.NET Oracle Padding vunerability any user that was keeping themselves logged in to our site is getting error messages when hitting any page.
The errors logged on the server are
System.Web.UI.ViewStateException: Invalid viewstate.
Client IP: xxx.xxx.xxx.xxx
Port: 55796
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0
ViewState: l4nsXEvWcOwlDpmdbxw916bpHoPiqdBP7Syb+zCQAv44xv/r3oLtETKTL28/Gts6
Referer: Path: /product/4795/fender-usa-deluxe-stratocaster-mn-olympic-white-pearl
With custom errors switched off a user sees the following information
Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Web.HttpException: Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace: [ViewStateException: Invalid viewstate.
Client IP: xxx.xxx.xxx.xxx
Port: 3588
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.5; .NET CLR 2.0.50727; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
ViewState: s0toPCu7bxkB7a3G+KTxawY3ILf1qunZyIqNBKg8xSoqY2BkWIUCJAHKFKo2RnJw
Referer:
Path: /]
[HttpException (0x80004005): Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.]
System.Web.UI.ViewStateException.ThrowError(Exception inner, String persistedState, String errorPageMessage, Boolean macValidationError) +118
System.Web.UI.ViewStateException.ThrowMacValidationError(Exception inner, String persistedState) +13
System.Web.UI.ObjectStateFormatter.Deserialize(String inputString) +238
System.Web.UI.ObjectStateFormatter.System.Web.UI.IStateFormatter.Deserialize(String serializedState) +5
System.Web.Mvc.AntiForgeryDataSerializer.Deserialize(String serializedToken) +90
to delete all cookies and log back in, but obviously an average user, won't know to do this and I'm worried they will just think our site is broken.
View 3 Replies
Dec 2, 2010
We have developed a small method that pulls a cryptographic key from a signed xml document and then checks the signature using the SignedXml.CheckSignature method.
When run from a command line app the key validates properly. However as soon as I call it from a web app it stops working. Anybody know what could be happening?:
// Verify the signature of an XML file against an asymmetric
// algorithm and return the result.XmlDocument Doc, RSA Key
public static Boolean VerifyLicenceFile(string xmlLicFilePathArg)
{
bool isVerified = false;....
View 1 Replies
Mar 25, 2010
We recently discovered that our web app was vulnerable to cross site scripting (XSS) attacks. We managed to manipulate our inputs to produce the following HTML:
[Code]....
Which executes an alert window when clicked.
After HTMLEncoding using the AntiXSS the web app successfully encodes the output to look like this:
<a href="javascript:__doPostBack('ctl00$ContentPlaceHolder1$CtlSearchList1$CtlListView1$DataGrid1$ctl03$ctl00','')">'); onclick=alert('This
is an XSS vulernability. An attacker could do anything here (redirect to another website, virus etc)');('.txt</a>
but the alert window still fires! What am I doing wrong?
View 3 Replies
Apr 10, 2010
I need to know abt Microsoft Certificate Services ...can u guys xplain in details ....I find microsoft article regarding this ....Stil cnt able to do ..Am a new bee in this kind of stuff ....
View 2 Replies
Sep 13, 2010
Is there any way to use Asp.net's membership services through a web service? My boss, for some reason, wants this...
View 1 Replies
Feb 25, 2011
Our asp.net 2.0 app encountered the following error:
This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.After adding the following in web.config -> <system.web> section:
<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>
The error occurs in those pages that uses AJAX.
View 1 Replies
Feb 16, 2010
I have an ASP.Net website with the standard forms auth membership database, and then a Reporting Services instance with a bunch of reports on it.
How can I integrate the security between the two servers? Worst case, I could just frame in the reports with some code and pass a universal set of credentials to the Reporting server, but I lose security granularity...I could pass the current set of credentials the same way, but then I have to keep the two db's synched. There has to be a better way.
View 1 Replies
Mar 1, 2010
I created a page for display my own windows services installed in the system. That page displays the service display name and status in the grid view and also showed one button to start ot stop the service according to the statusAll working nicely. But when i click start button i got the error as follows{"Cannot open Service1 service on computer '.'."}and the inner exception is "{"Access is denied"} .
View 1 Replies
Jan 5, 2011
2nd in an occasional series:
Here's the first one
Is CAT.NET correct that the following is a genuine vulnerability in ASP.NET or is it a false positive?
var myInt = Int32.Parse(txtUserInput.Text);
Response.Redirect(string.Format("myPage.aspx?myId={0}", myInt);
CAT.NET is reporting this as a redirect vulnerability needing remediation via encoding myInt.
View 3 Replies
Oct 29, 2010
Considering the recent ASP.NET vulnerability, what should I look for in my httphandlers that would cause such a Padding Oracle vulnerability?
Asked in another way... what did MSFT do wrong and what did they fix in their handlers?
View 2 Replies
Jun 29, 2010
I have an ASP.NET application that is using Signle Sign On using Active Directory Federation Services
When the user first logs into the application, Once they are "authenticated", their credentials remain active while their web browser is open.
Now, I want the "authentication" to "timeout" in 60 minutes. This way if they browse to another page after 60 minutes, they are prompted to "re-enter" their credentials again.
I know that in FormsAuthentication, you can "de-authenticate" someone by calling "FormsAuthentication.SignOut();" in the Session_End Event in Global.asax.
Is there anyting like that for ADFS?
View 1 Replies
Feb 4, 2011
How to Find All the Web Services and Windows Services Running on a Server in ASP.Net. I have the server details with me and want to find all the Web services running on it.
View 1 Replies
Apr 3, 2010
I am using Visual Studio 2010 Release candidate1. I have to deploy my web application which consists of a website, certain window services, certain WCF services and Sql Server 2005 database.I read Vishal Joshi's blog(http://vishaljoshi.blogspot.com/2009/09/overview-post-for-web-deployment-in-vs.html) detaing Web Package in VS2010. I want to know how to deploy window services and WCF services using Web Package. Also, I want to create a web setup (.msi) for deployment instead of Web Package so that the .msi takes care of all the application and database deployment like the web package does.
View 1 Replies
Jul 20, 2010
I installed vs2010 in my machine and opened solution (of same version copied from other machine).
But getting stateservices error message..Moreover i am unable to find asp.net services in the list of services under serives.msc.
View 2 Replies
Mar 4, 2010
I am using HTML controls while using Ajax in my .net project. Now I want to make my text box to be autocomplete. I am fetching a data using a query for the respective typed text but i am not sure how to bind that data to text box and show it the way it is being displayed in google and other famous sites. I would also love to know the way using web services. Which way is more efficient?
View 1 Replies
Jun 20, 2010
I have an existing SQL database containing student:class enrollments and would like to add a login feature using asp.net's built in Membership and Roles management tools. to how to integrate the Application Services Database with an existing SQL database? Once I have created the Application Services tables using aspnet_regsql tool how and where do I create a link between my tables and the .Net Membership tables?
View 5 Replies
Jul 12, 2010
Makes it sense to use ASP.NET applications together with WCF RIA Services or WCF Data Services (to encapsulate the data access layer) ? Or are these technolgies only useful for Silverlight applications.
View 1 Replies
Mar 8, 2010
Which IIS Lowest Version Can be Use For Creating WCF web Services. and Which IIS Version is most suitable for working in WCF
View 2 Replies
Nov 15, 2010
Here is my scenario -
1/ I have an ASP.NET MVC application running on my server, it uses Windows Authentication.
2/ There is different web application (written in Java) somewhere else that also uses Windows Authentication.
In the Controller of my MVC application I need to grab some information from this other Web app. How can I connect to the "foreign" application using the credentials of the user that is accessing my Controller?
View 1 Replies