Important: ASP.NET Security Vulnerability: ASP Alliance

Print Add To Favorites Email To Friend Rate This Article
Important: ASP.NET Security Vulnerability

page 3 of 11

by Scott Guthrie
Feedback

Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days): 45696/ 109

Article Contents:

Introduction
What does the vulnerability enable?
How the Vulnerability Works
How to Workaround The Vulnerability
How to verify if the <customErrors> section is correct
Install and Enable IIS URLScan with a Custom Rule
Add an Addition URL Scan Rule
How to Find Vulnerable ASP.NET Applications on Your Web Server
Forum for Questions
Summary
Resources

How the Vulnerability Works

To understand how this vulnerability works, you need to know about cryptographic oracles. An oracle in the context of cryptography is a system which provides hints as you ask it questions. In this case, there is a vulnerability in ASP.NET which acts as a padding oracle. This allows an attacker to send cipher text to the web server and learn if it was decrypted properly by examining which error code was returned by the web server. By making many such requests (and watching what errors are returned) the attacker can learn enough to successfully decrypt the rest of the cipher text.

« (Page 2)

View Entire Article

(Page 4) »

User Comments

No comments posted yet.

Product Spotlight